Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Faktura_21611447.exe

Overview

General Information

Sample Name:Faktura_21611447.exe
Analysis ID:433220
MD5:37178995799dac98cf429b946925e324
SHA1:7653bcfc4a5dc75afa7efa2aa2531acd06b25679
SHA256:b86fbdeb14cd6cd5b5e144d029844e1c7d6e51c82b1bb7c3f0f07f8ff07258c9
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Faktura_21611447.exe (PID: 4632 cmdline: 'C:\Users\user\Desktop\Faktura_21611447.exe' MD5: 37178995799DAC98CF429B946925E324)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "administracion@gruposolve.estT^eJ7+z7MXqmail.gruposolve.esalfredbnolan@yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000012.00000002.489763681.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000012.00000002.489763681.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.323889609.0000000003D51000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Faktura_21611447.exe.3e1adb8.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Faktura_21611447.exe.3e1adb8.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                18.2.Faktura_21611447.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  18.2.Faktura_21611447.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    18.0.Faktura_21611447.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: Faktura_21611447.exeAvira: detected
                      Found malware configurationShow sources
                      Source: 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "administracion@gruposolve.estT^eJ7+z7MXqmail.gruposolve.esalfredbnolan@yandex.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Faktura_21611447.exeVirustotal: Detection: 31%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: Faktura_21611447.exeJoe Sandbox ML: detected
                      Source: 18.2.Faktura_21611447.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.0.Faktura_21611447.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: Faktura_21611447.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Faktura_21611447.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_02C19B28
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_02C19B30
                      Source: Faktura_21611447.exe, 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Faktura_21611447.exe, 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Faktura_21611447.exe, 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://IzzKkp.com
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Faktura_21611447.exe, 00000000.00000003.234916006.00000000083DB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Faktura_21611447.exe, 00000000.00000003.318787394.00000000083D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Faktura_21611447.exe, 00000000.00000003.231619653.000000000840E000.00000004.00000001.sdmp, Faktura_21611447.exe, 00000000.00000003.231673587.000000000840E000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmp, Faktura_21611447.exe, 00000000.00000003.233541061.00000000083DB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Faktura_21611447.exe, 00000000.00000003.233867585.00000000083DB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnE
                      Source: Faktura_21611447.exe, 00000000.00000003.233444092.00000000083D9000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
                      Source: Faktura_21611447.exe, 00000000.00000003.233525778.000000000840D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv1
                      Source: Faktura_21611447.exe, 00000000.00000003.241112120.00000000083FE000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmp, Faktura_21611447.exe, 00000000.00000002.320027257.0000000000F87000.00000004.00000040.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Faktura_21611447.exe, 00000000.00000003.241066086.00000000083FE000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/zY
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Faktura_21611447.exe, 00000000.00000002.323889609.0000000003D51000.00000004.00000001.sdmp, Faktura_21611447.exe, 00000012.00000002.489763681.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Faktura_21611447.exe, 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: Faktura_21611447.exe, 00000000.00000002.320485039.00000000010B9000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 18.2.Faktura_21611447.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2A6ECC31u002dAE3Cu002d4AEDu002d9CE8u002dF5792F617EEDu007d/u003308776FAu002dB125u002d4DECu002d9BF6u002d9AD8AC8114EC.csLarge array initialization: .cctor: array initializer size 11965
                      Source: 18.0.Faktura_21611447.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b2A6ECC31u002dAE3Cu002d4AEDu002d9CE8u002dF5792F617EEDu007d/u003308776FAu002dB125u002d4DECu002d9BF6u002d9AD8AC8114EC.csLarge array initialization: .cctor: array initializer size 11965
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F603AC NtQueryInformationProcess,0_2_00F603AC
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F671F1 NtQueryInformationProcess,0_2_00F671F1
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F6033F NtQueryInformationProcess,0_2_00F6033F
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00884E380_2_00884E38
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F620F90_2_00F620F9
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F675180_2_00F67518
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F657990_2_00F65799
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F617410_2_00F61741
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F60FE80_2_00F60FE8
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F66FC80_2_00F66FC8
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F660D00_2_00F660D0
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F6608D0_2_00F6608D
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F661BD0_2_00F661BD
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F651300_2_00F65130
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F653500_2_00F65350
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F653400_2_00F65340
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F604710_2_00F60471
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F655E00_2_00F655E0
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F675080_2_00F67508
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F65A900_2_00F65A90
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F65A810_2_00F65A81
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F64A700_2_00F64A70
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F64A610_2_00F64A61
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F61BF80_2_00F61BF8
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F64D600_2_00F64D60
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F63ED00_2_00F63ED0
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F63EC00_2_00F63EC0
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_00F60F400_2_00F60F40
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_02C17AB40_2_02C17AB4
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_02C1704A0_2_02C1704A
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_02C170500_2_02C17050
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_02C150540_2_02C15054
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_02C190780_2_02C19078
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_05A300070_2_05A30007
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_05A300400_2_05A30040
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_05A302700_2_05A30270
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_0833B8710_2_0833B871
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 18_2_00574E3818_2_00574E38
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 18_2_029647A018_2_029647A0
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 18_2_0296477218_2_02964772
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 18_2_0296D82018_2_0296D820
                      Source: Faktura_21611447.exe, 00000000.00000002.321633943.0000000002D51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs Faktura_21611447.exe
                      Source: Faktura_21611447.exe, 00000000.00000002.321633943.0000000002D51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepgWpOcxrKpwjmSMtsGnKdoHGRKMrHbU.exe4 vs Faktura_21611447.exe
                      Source: Faktura_21611447.exe, 00000000.00000002.325264652.0000000003EE7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Faktura_21611447.exe
                      Source: Faktura_21611447.exe, 00000000.00000002.319140028.0000000000916000.00000002.00020000.sdmpBinary or memory string: OriginalFilename7U61.exeF vs Faktura_21611447.exe
                      Source: Faktura_21611447.exe, 00000000.00000002.327575688.0000000005190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Faktura_21611447.exe
                      Source: Faktura_21611447.exe, 00000000.00000002.320485039.00000000010B9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Faktura_21611447.exe
                      Source: Faktura_21611447.exe, 00000012.00000002.490422697.0000000000606000.00000002.00020000.sdmpBinary or memory string: OriginalFilename7U61.exeF vs Faktura_21611447.exe
                      Source: Faktura_21611447.exe, 00000012.00000002.489763681.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamepgWpOcxrKpwjmSMtsGnKdoHGRKMrHbU.exe4 vs Faktura_21611447.exe
                      Source: Faktura_21611447.exeBinary or memory string: OriginalFilename7U61.exeF vs Faktura_21611447.exe
                      Source: Faktura_21611447.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Faktura_21611447.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 18.2.Faktura_21611447.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 18.2.Faktura_21611447.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 18.0.Faktura_21611447.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 18.0.Faktura_21611447.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: Faktura_21611447.exe, 00000000.00000003.233010938.000000000840D000.00000004.00000001.sdmpBinary or memory string: un Gothic is a trademark of the Microsoft group of companies.slnt
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/0
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Faktura_21611447.exe.logJump to behavior
                      Source: Faktura_21611447.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Faktura_21611447.exeVirustotal: Detection: 31%
                      Source: unknownProcess created: C:\Users\user\Desktop\Faktura_21611447.exe 'C:\Users\user\Desktop\Faktura_21611447.exe'
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess created: C:\Users\user\Desktop\Faktura_21611447.exe {path}
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess created: C:\Users\user\Desktop\Faktura_21611447.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Faktura_21611447.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Faktura_21611447.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_0088AE48 push ebp; retf 0_2_0088AE49
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_0088527F push ebx; retf 0_2_008852A2
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 0_2_05A349B5 push FFFFFF8Bh; iretd 0_2_05A349B7
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 18_2_0057AE48 push ebp; retf 18_2_0057AE49
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeCode function: 18_2_0057527F push ebx; retf 18_2_005752A2
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.59684776596
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.321816701.0000000002DAC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Faktura_21611447.exe PID: 4632, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Faktura_21611447.exe, 00000000.00000002.321816701.0000000002DAC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Faktura_21611447.exe, 00000000.00000002.321816701.0000000002DAC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeWindow / User API: threadDelayed 9275Jump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeWindow / User API: threadDelayed 544Jump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exe TID: 480Thread sleep time: -44000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exe TID: 488Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exe TID: 4372Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exe TID: 2856Thread sleep count: 9275 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exe TID: 2856Thread sleep count: 544 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exe TID: 4372Thread sleep count: 46 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Faktura_21611447.exe, 00000000.00000002.321816701.0000000002DAC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: Faktura_21611447.exe, 00000000.00000002.321816701.0000000002DAC000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Faktura_21611447.exe, 00000000.00000002.321816701.0000000002DAC000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Faktura_21611447.exe, 00000000.00000002.321816701.0000000002DAC000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Faktura_21611447.exe, 00000000.00000002.321816701.0000000002DAC000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: Faktura_21611447.exe, 00000000.00000002.321816701.0000000002DAC000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Faktura_21611447.exe, 00000000.00000002.321816701.0000000002DAC000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: Faktura_21611447.exe, 00000000.00000002.321816701.0000000002DAC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Faktura_21611447.exe, 00000000.00000002.321816701.0000000002DAC000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeMemory written: C:\Users\user\Desktop\Faktura_21611447.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeProcess created: C:\Users\user\Desktop\Faktura_21611447.exe {path}Jump to behavior
                      Source: Faktura_21611447.exe, 00000012.00000002.493011203.0000000001410000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Faktura_21611447.exe, 00000012.00000002.493011203.0000000001410000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Faktura_21611447.exe, 00000012.00000002.493011203.0000000001410000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                      Source: Faktura_21611447.exe, 00000012.00000002.493011203.0000000001410000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: Faktura_21611447.exe, 00000012.00000002.493011203.0000000001410000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Users\user\Desktop\Faktura_21611447.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Users\user\Desktop\Faktura_21611447.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Faktura_21611447.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000012.00000002.489763681.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323889609.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.318036726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.Faktura_21611447.exe.3e1adb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Faktura_21611447.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.Faktura_21611447.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Faktura_21611447.exe.3e1adb8.4.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.489763681.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323889609.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.318036726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Faktura_21611447.exe PID: 4632, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Faktura_21611447.exe PID: 5800, type: MEMORY
                      Source: Yara matchFile source: 0.2.Faktura_21611447.exe.3e1adb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Faktura_21611447.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.Faktura_21611447.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Faktura_21611447.exe.3e1adb8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Faktura_21611447.exe PID: 5800, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000012.00000002.489763681.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323889609.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.318036726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.Faktura_21611447.exe.3e1adb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Faktura_21611447.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.Faktura_21611447.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Faktura_21611447.exe.3e1adb8.4.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.489763681.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323889609.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.318036726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Faktura_21611447.exe PID: 4632, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Faktura_21611447.exe PID: 5800, type: MEMORY
                      Source: Yara matchFile source: 0.2.Faktura_21611447.exe.3e1adb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Faktura_21611447.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.Faktura_21611447.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Faktura_21611447.exe.3e1adb8.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1Input Capture1Security Software Discovery211Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery113SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Faktura_21611447.exe31%VirustotalBrowse
                      Faktura_21611447.exe100%AviraHEUR/AGEN.1129504
                      Faktura_21611447.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.0.Faktura_21611447.exe.880000.0.unpack100%AviraHEUR/AGEN.1129504Download File
                      18.2.Faktura_21611447.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      18.0.Faktura_21611447.exe.570000.2.unpack100%AviraHEUR/AGEN.1129504Download File
                      18.0.Faktura_21611447.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      18.0.Faktura_21611447.exe.570000.0.unpack100%AviraHEUR/AGEN.1129504Download File
                      18.2.Faktura_21611447.exe.570000.1.unpack100%AviraHEUR/AGEN.1129504Download File
                      0.2.Faktura_21611447.exe.880000.0.unpack100%AviraHEUR/AGEN.1129504Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.founder.com.cn/cnv10%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cnE0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://IzzKkp.com0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.founder.com.cn/cna0%URL Reputationsafe
                      http://www.founder.com.cn/cna0%URL Reputationsafe
                      http://www.founder.com.cn/cna0%URL Reputationsafe
                      http://www.founder.com.cn/cna0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.galapagosdesign.com/zY0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1Faktura_21611447.exe, 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comFaktura_21611447.exe, 00000000.00000003.318787394.00000000083D0000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.galapagosdesign.com/Faktura_21611447.exe, 00000000.00000003.241112120.00000000083FE000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://DynDns.comDynDNSFaktura_21611447.exe, 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haFaktura_21611447.exe, 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.tiro.comFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnv1Faktura_21611447.exe, 00000000.00000003.233525778.000000000840D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designersFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comFaktura_21611447.exe, 00000000.00000003.234916006.00000000083DB000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnEFaktura_21611447.exe, 00000000.00000003.233867585.00000000083DB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.comFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmp, Faktura_21611447.exe, 00000000.00000002.320027257.0000000000F87000.00000004.00000040.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmp, Faktura_21611447.exe, 00000000.00000003.233541061.00000000083DB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://IzzKkp.comFaktura_21611447.exe, 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8Faktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnaFaktura_21611447.exe, 00000000.00000003.233444092.00000000083D9000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fonts.comFaktura_21611447.exe, 00000000.00000003.231619653.000000000840E000.00000004.00000001.sdmp, Faktura_21611447.exe, 00000000.00000003.231673587.000000000840E000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comFaktura_21611447.exe, 00000000.00000002.332466757.00000000095E2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipFaktura_21611447.exe, 00000000.00000002.323889609.0000000003D51000.00000004.00000001.sdmp, Faktura_21611447.exe, 00000012.00000002.489763681.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/zYFaktura_21611447.exe, 00000000.00000003.241066086.00000000083FE000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          Contacted IPs

                                          No contacted IP infos

                                          General Information

                                          Joe Sandbox Version:32.0.0 Black Diamond
                                          Analysis ID:433220
                                          Start date:11.06.2021
                                          Start time:13:23:20
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 7m 23s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:Faktura_21611447.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:28
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@3/1@0/0
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 0.7% (good quality ratio 0.4%)
                                          • Quality average: 42.6%
                                          • Quality standard deviation: 38.2%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 66
                                          • Number of non-executed functions: 25
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, SearchUI.exe, BackgroundTransferHost.exe, HxTsr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          13:25:07API Interceptor470x Sleep call for process: Faktura_21611447.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASN

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Faktura_21611447.exe.log
                                          Process:C:\Users\user\Desktop\Faktura_21611447.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:B666A4404B132B2BF6C04FBF848EB948
                                          SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                          SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                          SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                          Malicious:true
                                          Reputation:moderate, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.5725309673566645
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:Faktura_21611447.exe
                                          File size:604160
                                          MD5:37178995799dac98cf429b946925e324
                                          SHA1:7653bcfc4a5dc75afa7efa2aa2531acd06b25679
                                          SHA256:b86fbdeb14cd6cd5b5e144d029844e1c7d6e51c82b1bb7c3f0f07f8ff07258c9
                                          SHA512:5eb6f61685fe7c1f4a280beedbee8b683ab0ace5779957fdf09555aa271cc52f2492ccaa022cece0ddd691f90b0c8196da0db9f8fd88fdb4fd7b593d59598138
                                          SSDEEP:12288:j/q6Tjxgijix2x6bg1ZXCtJ0TvbK3w9hhm45vnS8m2WhG4g7JLM+YtesminEY:eexvjYn81ZXoJMvby0hQ4JnjY
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%.`..............0.."...........@... ...`....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:18da1abcb2d2d2b0

                                          Static PE Info

                                          General

                                          Entrypoint:0x49408e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x60C325D1 [Fri Jun 11 08:58:57 2021 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x940340x57.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x960000x1058.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x980000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x920940x92200False0.804253100941data7.59684776596IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x960000x10580x1200False0.269748263889data2.8444952776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x980000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x961300x8a8dBase III DBT, version number 0, next free block index 40
                                          RT_GROUP_ICON0x969d80x14data
                                          RT_VERSION0x969ec0x480data
                                          RT_MANIFEST0x96e6c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightDecember 19th, 2006
                                          Assembly Version1.0.7.8
                                          InternalName7U61.exe
                                          FileVersion1.0.7.8
                                          CompanyNameCoded by James O'Cull
                                          LegalTrademarks
                                          CommentsContact management is a solution for anyone who needs to be able to access their list of contacts from removable media without any installation.
                                          ProductNameContact Management
                                          ProductVersion1.0.7.8
                                          FileDescriptionContact Management
                                          OriginalFilename7U61.exe

                                          Network Behavior

                                          No network behavior found

                                          Code Manipulations

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: Faktura_21611447.exe PID: 4632 Parent PID: 5856

                                          General

                                          Start time:13:24:08
                                          Start date:11/06/2021
                                          Path:C:\Users\user\Desktop\Faktura_21611447.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\Faktura_21611447.exe'
                                          Imagebase:0x880000
                                          File size:604160 bytes
                                          MD5 hash:37178995799DAC98CF429B946925E324
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.323889609.0000000003D51000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.323889609.0000000003D51000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.321816701.0000000002DAC000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: Faktura_21611447.exe PID: 5800 Parent PID: 4632

                                          General

                                          Start time:13:24:51
                                          Start date:11/06/2021
                                          Path:C:\Users\user\Desktop\Faktura_21611447.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0x570000
                                          File size:604160 bytes
                                          MD5 hash:37178995799DAC98CF429B946925E324
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.493773129.0000000002B11000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.489763681.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000012.00000002.489763681.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000000.318036726.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000012.00000000.318036726.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Chronological Activities

                                          Disassembly

                                          Code Analysis

                                          Reset < >

                                            Analysis Process: Faktura_21611447.exe PID: 4632 Parent PID: 5856 Faktura_21611447.exeCOMMON

                                            Executed Functions

                                            Function 00F67518, Relevance: 9.0, Strings: 7, Instructions: 258COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID: J1y<$gg.n$gg.n$t1w$t1w$t1w$sq
                                            • API String ID: 2591292051-2682324544
                                            • Opcode ID: 06092ca961cffc9f51b68a61ee56a25150c73ef9b8f3b53dde09c88bcddf166f
                                            • Instruction ID: 03d57d9347ddf1dadf1af54a5d4821d085386745f38c761b9f2089245df96f30
                                            • Opcode Fuzzy Hash: 06092ca961cffc9f51b68a61ee56a25150c73ef9b8f3b53dde09c88bcddf166f
                                            • Instruction Fuzzy Hash: B1C124B0D09318CFDB14EFA5D98469DBBB2FB4A304F20956AD01AB7264DB349D44EF14
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F67508, Relevance: 9.0, Strings: 7, Instructions: 252COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: J1y<$gg.n$gg.n$t1w$t1w$t1w$sq
                                            • API String ID: 0-2682324544
                                            • Opcode ID: 79263197b03e16b7f8429ccc30a7237c9acb21db366210b07f07a674605f145c
                                            • Instruction ID: 78690168a649c95b376f7eb145145ea675220209f3b07f917053dc9e208e0691
                                            • Opcode Fuzzy Hash: 79263197b03e16b7f8429ccc30a7237c9acb21db366210b07f07a674605f145c
                                            • Instruction Fuzzy Hash: 47B147B0D09318CFDB14EFA5D98469DBBB2FB4A304F2485AAD00AB7264DB349D45DF24
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F65799, Relevance: 5.2, Strings: 4, Instructions: 177COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: <X$<X$DW$sq
                                            • API String ID: 0-1423274249
                                            • Opcode ID: 567c73ce7a3e3b790c1bbcd55d4af35c1e7656e7c68b913b0480d9fa80073aa1
                                            • Instruction ID: f094f293f6a9cfd0099ccd8a67678bafeaae70f26b310fbb1a07e36e1b0a239b
                                            • Opcode Fuzzy Hash: 567c73ce7a3e3b790c1bbcd55d4af35c1e7656e7c68b913b0480d9fa80073aa1
                                            • Instruction Fuzzy Hash: E48116B4D01648DFCB04CFA6E98469DBBB2FF99301F20816AD416BB354D7349A45DF11
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F61741, Relevance: 2.7, Strings: 2, Instructions: 154COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: <5;$<5;
                                            • API String ID: 0-1158855635
                                            • Opcode ID: 646516fd6d7449883a46e1aef93de443c260b8c0fbb69e74cf5d7df6fb14d58c
                                            • Instruction ID: 3ad01dc9dc0dbcb7623d1b0d892e078654367cfc3fbf946a5553f31cf971a0ae
                                            • Opcode Fuzzy Hash: 646516fd6d7449883a46e1aef93de443c260b8c0fbb69e74cf5d7df6fb14d58c
                                            • Instruction Fuzzy Hash: 6C514C74E052098FCB08CFA6D9416AEFBF2FF89310F28D12AD415A7264D7349A41DF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F6033F, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5b9fab5c4e4631582a7a943a0f7f1475c6034ffe488ceae277e8009b54fc0a7e
                                            • Instruction ID: aa26ab8024ca7ede2fa8ffa9c626b8dd239aaeb5c77cd461d2a66955ecedc31a
                                            • Opcode Fuzzy Hash: 5b9fab5c4e4631582a7a943a0f7f1475c6034ffe488ceae277e8009b54fc0a7e
                                            • Instruction Fuzzy Hash: 61611B71C0A3C89FCB12CFA9D894ADDBFB0AF1A314F15449BD484E7262D7349905CB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F671F1, Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00F672AD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID:
                                            • API String ID: 1778838933-0
                                            • Opcode ID: 7ca50851132de7d9ad9cf9251cd7ed5cd421b20a7c571dd13a1c63d3edfa5343
                                            • Instruction ID: c9a91f62bac3728e4a70d114794acabb348916c081c1bd65d943ff4a19aa49e4
                                            • Opcode Fuzzy Hash: 7ca50851132de7d9ad9cf9251cd7ed5cd421b20a7c571dd13a1c63d3edfa5343
                                            • Instruction Fuzzy Hash: 064176B9D042589FCF10CFA9D984ADEFBB5BB19314F10A02AE818B7310D375A906CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F603AC, Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00F672AD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID:
                                            • API String ID: 1778838933-0
                                            • Opcode ID: 517555ddfcda1ce24518ffa0877457f4e5e2a10086bd4abceb0170663d0f1f60
                                            • Instruction ID: 44e686cec217ef2e804bb068d61d6de5838b152b852695accabd8f915598048f
                                            • Opcode Fuzzy Hash: 517555ddfcda1ce24518ffa0877457f4e5e2a10086bd4abceb0170663d0f1f60
                                            • Instruction Fuzzy Hash: 954175B9D042589FCF10CFAAD984ADEFBB1BB59314F10A02AE818B7310D735A905DF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F60F40, Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: [
                                            • API String ID: 0-3835885953
                                            • Opcode ID: 32b8f82462e7c1376f889f01908e5b893ccf34f4a70d489e2d8829688921711e
                                            • Instruction ID: d64f1358a644734bae50eb0839fff41d4452c7edc91d35d4b2b070a0c5687f18
                                            • Opcode Fuzzy Hash: 32b8f82462e7c1376f889f01908e5b893ccf34f4a70d489e2d8829688921711e
                                            • Instruction Fuzzy Hash: 65A19B71E052888FDB09CFA5C9506DEBFF2BF8A300F14816AD815AB2A5D7745906CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F60FE8, Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: [
                                            • API String ID: 0-3835885953
                                            • Opcode ID: fa9a6740e25dfc968d0cb3802abda15d883fbd05e279fb36b0f104ec27114226
                                            • Instruction ID: fc5e08853991b08f01b9953f3cdfcb5d5e1d30c764efc7cbb2989b468a0b646a
                                            • Opcode Fuzzy Hash: fa9a6740e25dfc968d0cb3802abda15d883fbd05e279fb36b0f104ec27114226
                                            • Instruction Fuzzy Hash: 2C81D374E012499FDB08CFAAC984AAEFBB2FF89300F24812AD515BB364D7349945DF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C17AB4, Relevance: .2, Instructions: 233COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa97cb56505e71e472a39d1819909d53fe97a371f8f773d9ff425c27904ce635
                                            • Instruction ID: 31e2a358750bafbd5cd67d051360f95ac8679db68219a5735260d20dcc419e67
                                            • Opcode Fuzzy Hash: fa97cb56505e71e472a39d1819909d53fe97a371f8f773d9ff425c27904ce635
                                            • Instruction Fuzzy Hash: D9918275E003199FCB04DFA0D8549DDBBBAFF8A304F148215E416AF7A4EB30A989DB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C19078, Relevance: .2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 77abbb64d021c9affc467e44203d93a248f8ebda2be4aad5fad18696b367d280
                                            • Instruction ID: 7056af3c0d5a66b3a4c3153f737a7ed3c5c32eb2f4fa7fe088e28d6595922c88
                                            • Opcode Fuzzy Hash: 77abbb64d021c9affc467e44203d93a248f8ebda2be4aad5fad18696b367d280
                                            • Instruction Fuzzy Hash: 12817175E003199FCB04DFB0D8549DDBBBAFF8A304F248215E415AB7A4EB30A989DB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0833B871, Relevance: .2, Instructions: 178COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.330264831.0000000008330000.00000040.00000001.sdmp, Offset: 08330000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48e2a6859d623f9bc339edbac721efb622cef6b439415eba426e776aa3dd5909
                                            • Instruction ID: 74926a2e68fd1158ae8e169266f33ead78b66b3c0753be20d5a14a79125eb64b
                                            • Opcode Fuzzy Hash: 48e2a6859d623f9bc339edbac721efb622cef6b439415eba426e776aa3dd5909
                                            • Instruction Fuzzy Hash: E37103B5E052599FCB04CFA6D94099EFBF2FF88311F10D52AD816EB258D7389A028F50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F66FC8, Relevance: .1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6dfeb726819a1ea389768b7da0abb800ecc874f819d64c94095981481e603667
                                            • Instruction ID: 5e386854dc4b1dbae7e0239deeabcb160ab75e790c3e22c1ef32c84bbb4138c5
                                            • Opcode Fuzzy Hash: 6dfeb726819a1ea389768b7da0abb800ecc874f819d64c94095981481e603667
                                            • Instruction Fuzzy Hash: 4351F075E14759DBCB14DFAAD8405DDFBB2FF89304F20862AD419BB254EB30A986DB00
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F620F9, Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cfe9998f6ebe0ee02173ccb402c6d7f6fcf99488f42bab610f57360cf3f01395
                                            • Instruction ID: 53a6d7dce33d372695ca3840d10ec992e0fabfbd22c7314d2ad97e35f69bf7a1
                                            • Opcode Fuzzy Hash: cfe9998f6ebe0ee02173ccb402c6d7f6fcf99488f42bab610f57360cf3f01395
                                            • Instruction Fuzzy Hash: ED4118B1E056598FDB18CFAAD9906DEFBF2AF89300F14C16AD409A7258D7345A46CF40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C14490, Relevance: 6.1, APIs: 4, Instructions: 122threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 02C14500
                                            • GetCurrentThread.KERNEL32 ref: 02C1453D
                                            • GetCurrentProcess.KERNEL32 ref: 02C1457A
                                            • GetCurrentThreadId.KERNEL32 ref: 02C145D3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 343e2e868b7fc25660299bda692440bea71e8a7b2894402b163901e99e1e1dc2
                                            • Instruction ID: be69d8ec4629101f969ccd4059ea11175db9eefc3342a58fdf286a59199d1f07
                                            • Opcode Fuzzy Hash: 343e2e868b7fc25660299bda692440bea71e8a7b2894402b163901e99e1e1dc2
                                            • Instruction Fuzzy Hash: 9E5165B09047898FDB24CFA9D5497EEBBF0AF49314F2084AAE059B7350C7389945CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C1449F, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 02C14500
                                            • GetCurrentThread.KERNEL32 ref: 02C1453D
                                            • GetCurrentProcess.KERNEL32 ref: 02C1457A
                                            • GetCurrentThreadId.KERNEL32 ref: 02C145D3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 2706fd1e21f41d17e62393cb44b3f5249101727a8248fb1dbdbc564569b311cd
                                            • Instruction ID: 3d9942d9c1a3bf5816581a93be87e7494bbf809187f55f518d98c97ae6eb14f0
                                            • Opcode Fuzzy Hash: 2706fd1e21f41d17e62393cb44b3f5249101727a8248fb1dbdbc564569b311cd
                                            • Instruction Fuzzy Hash: BB5152B0A046888FDB24CFA9D548BAEBBF0BF89314F20846AE059B7350D7349944CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C144A0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 02C14500
                                            • GetCurrentThread.KERNEL32 ref: 02C1453D
                                            • GetCurrentProcess.KERNEL32 ref: 02C1457A
                                            • GetCurrentThreadId.KERNEL32 ref: 02C145D3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 65918e400a248fcd46234f2ca7c4c0c61cf53b2f734c24318024560ab2c54e49
                                            • Instruction ID: 1cdea126374b3528e320681553f1b8040607ff5f6ec3f14154e7b57207e23b1b
                                            • Opcode Fuzzy Hash: 65918e400a248fcd46234f2ca7c4c0c61cf53b2f734c24318024560ab2c54e49
                                            • Instruction Fuzzy Hash: C15163B0A046888FDB24CFA9C548BAEBBF0BF89314F20C45AE059B7350D734A944CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C12070, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(?), ref: 02C122E2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID: Xu$Xu
                                            • API String ID: 4139908857-2934775391
                                            • Opcode ID: 6dc2a67096496975eff7905318b83de51440c1eedef5b39cb933e48bb798cd81
                                            • Instruction ID: 48d0333aa5702431d839033fa3ed9b162a74b8c72a0fdc6c44ce7c58c07bff52
                                            • Opcode Fuzzy Hash: 6dc2a67096496975eff7905318b83de51440c1eedef5b39cb933e48bb798cd81
                                            • Instruction Fuzzy Hash: 25913574A007198FCB24CF69D48179ABBF1BF89304F10892AE94AE7750E734E905DF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F603E8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                            • OutputDebugStringW.KERNELBASE(?), ref: 00F67DCA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID: DebugOutputString
                                            • String ID: E
                                            • API String ID: 1166629820-3015059025
                                            • Opcode ID: 6f8bc8ad057c53d22396c9586a220761fe1370fe78b17de6b995fc6d3df55eca
                                            • Instruction ID: f047ff4ca2cd65d665970c66a650c22599715f1ef7f297556ea68551b7cdd601
                                            • Opcode Fuzzy Hash: 6f8bc8ad057c53d22396c9586a220761fe1370fe78b17de6b995fc6d3df55eca
                                            • Instruction Fuzzy Hash: 9231CAB4D042489FCB10CFA9D484AEEFBF5AF49314F14942AE818B7320D734A945CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A31715, Relevance: 1.7, APIs: 1, Instructions: 225processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05A318FC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 9f395b3456acc9d3b7ae0149674cd1cfb0c528537f6d7911ee5449100e5eb3a1
                                            • Instruction ID: 676d9b43a6e97a4c500ee3a38fa2a5f4aa8e92399e3d8685a15f81516308ee99
                                            • Opcode Fuzzy Hash: 9f395b3456acc9d3b7ae0149674cd1cfb0c528537f6d7911ee5449100e5eb3a1
                                            • Instruction Fuzzy Hash: 0581D075D0426D9FDF20CFA5D880BDDBBB5BB49304F1491AAE509B7220DB30AA85CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A31720, Relevance: 1.7, APIs: 1, Instructions: 222processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05A318FC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: df63c7d81bf5fd29781ff045c7e304aba0d781cb7e01d87fc0f9276c7c875966
                                            • Instruction ID: 5f6f4d6a9365be858ff73b3e1e5a1cb816f9d80950b0435c2356e5509558d65f
                                            • Opcode Fuzzy Hash: df63c7d81bf5fd29781ff045c7e304aba0d781cb7e01d87fc0f9276c7c875966
                                            • Instruction Fuzzy Hash: E581D075D0426D9FDF20CFA5D880BDDBBB5BB49304F1491AAE509B7220EB309A85CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C18C4C, Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C18E19
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: a482c44b2250db4bc9cef30f557526f6e516d29277e991808a1bf08a290dfbf8
                                            • Instruction ID: d738fe5034f34e44eef1f14c3f1858412d9daedf19d56488cec789ef1033e431
                                            • Opcode Fuzzy Hash: a482c44b2250db4bc9cef30f557526f6e516d29277e991808a1bf08a290dfbf8
                                            • Instruction Fuzzy Hash: A37199B4D04258DFDF20CFA9D980BDEBBB1BF0A304F1091AAE808A7211D7349A85CF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C18C58, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C18E19
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 3089462fd876cf452eba6c6f4a76519de8e2c0f8847377b9943679a5044a1faa
                                            • Instruction ID: 06570e01249efbaeb437fbf366ae5c3840c75dc609919e6b31624a8babd2bcb6
                                            • Opcode Fuzzy Hash: 3089462fd876cf452eba6c6f4a76519de8e2c0f8847377b9943679a5044a1faa
                                            • Instruction Fuzzy Hash: CA717AB4D04258DFDF20CFA9D984BDEBBB1BF4A304F1491AAE908A7211D7309A85CF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F6BFA4, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00F6D8E9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: abb0a6defde489383c24504cd5494ffe3a8b1054fe40563c02c0ae712f1c327b
                                            • Instruction ID: 39c4b91f4b5eacda019136de4f421f42ff6c0a8cebf0afdd6809ead027946065
                                            • Opcode Fuzzy Hash: abb0a6defde489383c24504cd5494ffe3a8b1054fe40563c02c0ae712f1c327b
                                            • Instruction Fuzzy Hash: 0D51C271D0426C8FDB20DFA4C880B9EBBB5BF49308F1181A9D549BB251DB716A89CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A31EB8, Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A31F96
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 95df18a31b08d351f9b8808259ece794637cf3c630cb8d750d741f447ebb7269
                                            • Instruction ID: 3975dcfbf215812ba00bb7de5bc469e438a1c9c704ef02d02593d6e976865f3d
                                            • Opcode Fuzzy Hash: 95df18a31b08d351f9b8808259ece794637cf3c630cb8d750d741f447ebb7269
                                            • Instruction Fuzzy Hash: D44198B5D042589FCF00CFA9D984ADEFBF1BB49314F24902AE818B7210D334AA45CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A31EC0, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A31F96
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: ee9ccf43562fe23617e3280e41f083aef840e0321b2a838193229063f29a440b
                                            • Instruction ID: f06c97f7e9daf23a5d83144f96fd58d33f8f965c5718bd46c31ab9792a045bca
                                            • Opcode Fuzzy Hash: ee9ccf43562fe23617e3280e41f083aef840e0321b2a838193229063f29a440b
                                            • Instruction Fuzzy Hash: D84167B5D052589FCF00CFA9D984AEEFBF1BB49314F24902AE819B7210D774AA45CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C146C2, Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C14793
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 46dd65c6a32f20431830bd8c56b51c8532da420d4db7d2f7e9ae00050a2e597d
                                            • Instruction ID: bcdfa01870c1aeca6d5633da87be1657a7350077cd675fb5ef481990ff821a53
                                            • Opcode Fuzzy Hash: 46dd65c6a32f20431830bd8c56b51c8532da420d4db7d2f7e9ae00050a2e597d
                                            • Instruction Fuzzy Hash: 744188B9D002589FCF00CFA9D884ADEBBF4BB09310F14902AE918BB310D335AA45DF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C146C8, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C14793
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: ced8185885cb3671a1a3edc3070f78f12169b9a7da364ba786440e8fb1ed48c4
                                            • Instruction ID: 68b6cec99c8ffe193d5b1aeda0e42407f7585a59d2c6e314ea7ec02b44bac13e
                                            • Opcode Fuzzy Hash: ced8185885cb3671a1a3edc3070f78f12169b9a7da364ba786440e8fb1ed48c4
                                            • Instruction Fuzzy Hash: 814156B9D002589FCF10CFA9D984ADEBBF5BB09310F14902AE918BB310D335A945DF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A31C88, Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A31D45
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: b611f614cb8671d89d20bc4b65418b3d12a4add4f167010677da2513b5d8f1be
                                            • Instruction ID: e036493c95759b4341e56c505b81711283767bf714facc1e44bff387f3e09c48
                                            • Opcode Fuzzy Hash: b611f614cb8671d89d20bc4b65418b3d12a4add4f167010677da2513b5d8f1be
                                            • Instruction Fuzzy Hash: 234197B9D042589FCF10CFA9D984ADEFBB1BB0A314F10A02AE814B7310D735A946CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A31C90, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A31D45
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 6e4b62dd4450d065ca0bbbb2d5174e130485549dcb3f1670348e06333b1ff719
                                            • Instruction ID: 0bfbf2c055c962e34606ca2a490962f607c0a73dd9d116898958a7a71fc1f438
                                            • Opcode Fuzzy Hash: 6e4b62dd4450d065ca0bbbb2d5174e130485549dcb3f1670348e06333b1ff719
                                            • Instruction Fuzzy Hash: 484177B9D042589FCF10CFA9D984ADEFBB1BB0A314F10902AE814B7210D735A945CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C12559, Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(?,?,?), ref: 02C1260A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 1ddbf74880e5ee19bbce957a2cc58009aa696a59d409cbd0d6387e3ba583942f
                                            • Instruction ID: 00650063a01e62a57586f1a09269dff5bad04cb3e83b3e3a7a167009f1fa19a3
                                            • Opcode Fuzzy Hash: 1ddbf74880e5ee19bbce957a2cc58009aa696a59d409cbd0d6387e3ba583942f
                                            • Instruction Fuzzy Hash: E34188B9D002589FCB10CFA9D885AEEFBF1BB49314F14902AE814B7310D334A946CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A31DAB, Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05A31E5D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 32ec0254ae5ca547ac29bb20c7f19380bf300771916a278fcadb5191cd36d809
                                            • Instruction ID: 57be610667e3575b3521f7bf929a799375ba4284d3b34e8557a6d2a022d5b253
                                            • Opcode Fuzzy Hash: 32ec0254ae5ca547ac29bb20c7f19380bf300771916a278fcadb5191cd36d809
                                            • Instruction Fuzzy Hash: D63165B9D042589FCF10CFA9D984A9EFBB5BB49314F10A02AE818B7310D735A946CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C11AC0, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(?,?,?), ref: 02C1260A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 7911bf4737860ad7f2c5f30be1fd136ed088e74a7b89ece8437bd914966efb59
                                            • Instruction ID: 2a33576efbbe6ddcf5b70c1b88457470a1f79a2b398f802e4f7dd2082b030a5e
                                            • Opcode Fuzzy Hash: 7911bf4737860ad7f2c5f30be1fd136ed088e74a7b89ece8437bd914966efb59
                                            • Instruction Fuzzy Hash: 844198B9D042589FCF10CFA9D884A9EFBF0BB49314F14902AE814B7310D334A946CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C17BB4, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 02C1B481
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 37b606ed0c30076782b36755461d8c1be927e0a59754028755d34487dcec781f
                                            • Instruction ID: adb2299572d84e0bfd4a4981165014526f8915e93b4246ab7f7f20797441474e
                                            • Opcode Fuzzy Hash: 37b606ed0c30076782b36755461d8c1be927e0a59754028755d34487dcec781f
                                            • Instruction Fuzzy Hash: 6A4135B4A003458FCB14CF99C489BAABBF5FF89318F14C459E519AB321D734A941CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A31DB0, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05A31E5D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 4fc77cc78725eaf14ea1a766a168bfb4d34f77df2fa23bf4da8ebcdfc25cf6cc
                                            • Instruction ID: 9506cc65cdeae5d9837164b642fb30b05579d50a4e9ae5d9d66f0c3b4838b1bc
                                            • Opcode Fuzzy Hash: 4fc77cc78725eaf14ea1a766a168bfb4d34f77df2fa23bf4da8ebcdfc25cf6cc
                                            • Instruction Fuzzy Hash: 543165B9D04258DFCF10CFA9D984A9EFBB5BB09314F10A02AE818B7310D735A945CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A31B70, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetThreadContext.KERNELBASE(?,?), ref: 05A31C2A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: 5fd1dc7345557d508919d261cfdc73fae96d3eba02e4fbf46f2d56c0a24c50a4
                                            • Instruction ID: 82631b1b35ff56ade52c1f54398cc7edffeac1a77b6940d09c8c7a9f8f34ab25
                                            • Opcode Fuzzy Hash: 5fd1dc7345557d508919d261cfdc73fae96d3eba02e4fbf46f2d56c0a24c50a4
                                            • Instruction Fuzzy Hash: B731CAB5D012589FCB10CFA9E985ADEFBF1BB49314F14902AE418B7310D738AA45CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A31B78, Relevance: 1.6, APIs: 1, Instructions: 90threadinjectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetThreadContext.KERNELBASE(?,?), ref: 05A31C2A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: f4620166e3b98e278d1d7f39f0beeb708a1b29467317758fc3982f4b0f643518
                                            • Instruction ID: e09e8f5baaa60c25bf2e78ac7adf9378e149599eff39fb556cb1a3b17e6296b0
                                            • Opcode Fuzzy Hash: f4620166e3b98e278d1d7f39f0beeb708a1b29467317758fc3982f4b0f643518
                                            • Instruction Fuzzy Hash: B531CAB4D012589FCB10CFA9D984ADEFBF0BB49314F14802AE418B7310D738AA45CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A32491, Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 05A32533
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: aaa411283f600a0112fd81d0155439fd1aa2173442320abbbbff9691fde0d0d8
                                            • Instruction ID: 3b0a17edfa5c2e176a9e30ef33900c3ae6c8b8cd0cacd506edcfa625caf5dd7b
                                            • Opcode Fuzzy Hash: aaa411283f600a0112fd81d0155439fd1aa2173442320abbbbff9691fde0d0d8
                                            • Instruction Fuzzy Hash: 653167B9D01258AFCB10CFA9D584A9EFBF5AB49314F14902AE814B7310D735A945CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A32498, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 05A32533
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 6fc704994d570189522d5b256c979a1323779912951f92eadb5aa32131fb2545
                                            • Instruction ID: 371ff2470e30cc7e382732b0b83e69b34571bccdc649171fc64859b66fe16075
                                            • Opcode Fuzzy Hash: 6fc704994d570189522d5b256c979a1323779912951f92eadb5aa32131fb2545
                                            • Instruction Fuzzy Hash: 493167B9D012589FCF10CFA9D584ADEFBF5AB49314F14902AE814B7310D735AA45CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F67D28, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                            Download Yara Rule
                                            APIs
                                            • OutputDebugStringW.KERNELBASE(?), ref: 00F67DCA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID: DebugOutputString
                                            • String ID:
                                            • API String ID: 1166629820-0
                                            • Opcode ID: 494082106816a1279226b8660654612fc1cc2bb2b93a2c751998b7719ce0f3ed
                                            • Instruction ID: 860ad0d8a8ad15488ff7fa163539c9864a9ad28f8b77a0bbf25ce041099a68a0
                                            • Opcode Fuzzy Hash: 494082106816a1279226b8660654612fc1cc2bb2b93a2c751998b7719ce0f3ed
                                            • Instruction Fuzzy Hash: AC31CBB5D052489FCB14CFA9D484AEEFBF1AF49314F14946AE818B7320D734A946CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C12250, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(?), ref: 02C122E2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 28e4574714ef98e2df8560deef6c1c986bab47fbce8258d13c864b1f7f653a78
                                            • Instruction ID: e5784c0bafaabe0e8f6f98b080ee83de72391c23e23ac2c359333ba7e1bcf5de
                                            • Opcode Fuzzy Hash: 28e4574714ef98e2df8560deef6c1c986bab47fbce8258d13c864b1f7f653a78
                                            • Instruction Fuzzy Hash: 4731A9B8D002599FCB14CFAAD484ADEFBF5BB49314F14906AE818B7320D734A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F60400, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 00F682A6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: 62ad273fd8381951be172ec97e3889925c1e46b6068ecea6db8070d61a2e469e
                                            • Instruction ID: 3f0a20049c5cbf3ee1bb53259acd4523f2cd0b4115983eb9031c546e94902865
                                            • Opcode Fuzzy Hash: 62ad273fd8381951be172ec97e3889925c1e46b6068ecea6db8070d61a2e469e
                                            • Instruction Fuzzy Hash: 6631CAB5D042589FCB10CFA9E484AEEFBF4EB49324F14906AE815B7300D774A946CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F68220, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 00F682A6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: a7b5e983a42c48aefea93d894b7d7364e7e2c8ca0ca3701b82f2a4e28eb597bb
                                            • Instruction ID: a4fba288de69a54c5960e2f65dac7603d8670fb943e7140109f2eaca9bc0f7b1
                                            • Opcode Fuzzy Hash: a7b5e983a42c48aefea93d894b7d7364e7e2c8ca0ca3701b82f2a4e28eb597bb
                                            • Instruction Fuzzy Hash: AE31CAB9D002589FCB10CFA9D884AEEFBF4AB49324F14906AE814B7310D774A945CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A320E0, Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNELBASE(?), ref: 05A32166
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 70758f84774cc90a93d384caf9d7cd47bdc6b7655577d87a037eae98aa31dadc
                                            • Instruction ID: e44cc02e9e4b07f406385db740e3224c260bfe2a0670612ebf13368e9ed3deef
                                            • Opcode Fuzzy Hash: 70758f84774cc90a93d384caf9d7cd47bdc6b7655577d87a037eae98aa31dadc
                                            • Instruction Fuzzy Hash: 6F31BBB8D002589FCB10CFA9E985ADEFBF4AF49324F14901AE918B3310D374A945CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A320E8, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNELBASE(?), ref: 05A32166
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 0ddc313eefd7bb9527c7b6b775f2c8060961a7a5f5f6ffcfb5fc3147841a2a51
                                            • Instruction ID: 4facbee4eb6d69cf113db0994f21e2a53e94b51758711205ed22850ad3e3a030
                                            • Opcode Fuzzy Hash: 0ddc313eefd7bb9527c7b6b775f2c8060961a7a5f5f6ffcfb5fc3147841a2a51
                                            • Instruction Fuzzy Hash: 9C21AAB8D002589FCB10CFA9D985ADEFBF4AF49324F14901AE918B7310D734A945CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08335848, Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.330264831.0000000008330000.00000040.00000001.sdmp, Offset: 08330000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: Xu
                                            • API String ID: 0-3868445026
                                            • Opcode ID: a64cead8f85b46433b7c147577b8c1c410272462401dd911c783936539b4ec4d
                                            • Instruction ID: 07801ed4946c94df81594be5c825b332309e8f1bd06c6a3d143c193b8a0e41c5
                                            • Opcode Fuzzy Hash: a64cead8f85b46433b7c147577b8c1c410272462401dd911c783936539b4ec4d
                                            • Instruction Fuzzy Hash: 1241BE353042608FC719AB39D89896EB7E6EFC922671584AEE55ADB361DF30DC01C750
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08337858, Relevance: .2, Instructions: 187COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.330264831.0000000008330000.00000040.00000001.sdmp, Offset: 08330000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d565544d0823ba072f76513d11cd2db209ab8afd1f453058f48d507acf59741
                                            • Instruction ID: d25e9e933b51a894fdbe0cad6a76f11fb8911c67de5e2559961c5a0cef4dc730
                                            • Opcode Fuzzy Hash: 7d565544d0823ba072f76513d11cd2db209ab8afd1f453058f48d507acf59741
                                            • Instruction Fuzzy Hash: 805125B1A042589FCB06DB64C8509EEBBB2EFC9304F1541BAD502AB751DF34DD4ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08330868, Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.330264831.0000000008330000.00000040.00000001.sdmp, Offset: 08330000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea80ca47ae6617d35cae28fb5d0ef80e6778f00b849cc816a8fd62e60ccd7fd4
                                            • Instruction ID: 3ee454f63c082eb6310cbdda0bdfbbbf5f4b6a203afecf97682a707cf5fbdf0f
                                            • Opcode Fuzzy Hash: ea80ca47ae6617d35cae28fb5d0ef80e6778f00b849cc816a8fd62e60ccd7fd4
                                            • Instruction Fuzzy Hash: DA317A70A02718EFCB18EFA0E5945ADBBB2FF85311F1185A9E481A7665CB309869DF40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EBD3EC, Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319712349.0000000000EBD000.00000040.00000001.sdmp, Offset: 00EBD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f6495fcf98b13ac575533e379c87ec4d0c4ae8165dc63c26f5d9cf6fec76f832
                                            • Instruction ID: 56716a6bd73f60a459486d0ca384d187aaf6bd1198f1da0d952eacba77fcb789
                                            • Opcode Fuzzy Hash: f6495fcf98b13ac575533e379c87ec4d0c4ae8165dc63c26f5d9cf6fec76f832
                                            • Instruction Fuzzy Hash: 8B2103B1508244EFCB04DF10DDC0BABBB65FB98328F24C579E9096B206D336E856C7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EBD4D8, Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319712349.0000000000EBD000.00000040.00000001.sdmp, Offset: 00EBD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d065106fbacbf2e2270365a0eed021e584933e4c76d21b3f8549c0101291bb93
                                            • Instruction ID: 0f896724604de0f297fea7a8499ca12a34a48a2d97f057dfa1ef428e1f9cbc47
                                            • Opcode Fuzzy Hash: d065106fbacbf2e2270365a0eed021e584933e4c76d21b3f8549c0101291bb93
                                            • Instruction Fuzzy Hash: 452137B1508244DFCB15CF54DDC0BABBF65FB8832CF248569E9096B206D336D856CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EDD01C, Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319805747.0000000000EDD000.00000040.00000001.sdmp, Offset: 00EDD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e1a81de08de66efe8c95d98235d24a66ca57ea6399fffe3b04d4d3dbe3c446c
                                            • Instruction ID: 6e5a079017e9455a15aed113d14e5558fcb24f6668b509102f0ee75bbaadb4be
                                            • Opcode Fuzzy Hash: 6e1a81de08de66efe8c95d98235d24a66ca57ea6399fffe3b04d4d3dbe3c446c
                                            • Instruction Fuzzy Hash: EE21D371608244DFCB14DF14DDC0B2ABB66FB88318F24C56AE9095B346C736D847CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EDD1D4, Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319805747.0000000000EDD000.00000040.00000001.sdmp, Offset: 00EDD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 788579b51102d17bbf34aacdeef40f470022bc6a2e1fdeae2b883b99612f2295
                                            • Instruction ID: f2bae70edf40913a037ee12dcf9902bc2c61e998d3313404e5b2159f0b2db668
                                            • Opcode Fuzzy Hash: 788579b51102d17bbf34aacdeef40f470022bc6a2e1fdeae2b883b99612f2295
                                            • Instruction Fuzzy Hash: 7221F571508244EFDB01DF50DDC0B2ABB65FB84318F24C56AE9496B356C736D847CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EDD005, Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319805747.0000000000EDD000.00000040.00000001.sdmp, Offset: 00EDD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 516f5f76c12d0a46810ec2fc7edd844f8d2b135d9f1b6c57fe426f8aa99e675f
                                            • Instruction ID: 019b34cb3f890d018538638bd4869074552d60b02ad6d99c512af796d8523912
                                            • Opcode Fuzzy Hash: 516f5f76c12d0a46810ec2fc7edd844f8d2b135d9f1b6c57fe426f8aa99e675f
                                            • Instruction Fuzzy Hash: 34217F7550D3809FCB12CF24D990715BF71EB86214F28C5EBD8498B6A7C33A984ACB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EBD3E7, Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319712349.0000000000EBD000.00000040.00000001.sdmp, Offset: 00EBD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 70974ab4a4c2816a03f4b9a369bf25a07704c6fcdadf149384cc040b403512b7
                                            • Instruction ID: 135c6f3e0d77aaccd0d9ffc0d9f39337200ca3bb71d1846eff951fba5ac023ca
                                            • Opcode Fuzzy Hash: 70974ab4a4c2816a03f4b9a369bf25a07704c6fcdadf149384cc040b403512b7
                                            • Instruction Fuzzy Hash: AF110876508280DFCF15CF10D9C4B56BF72FB94324F28C6A9D8085B616C33AE85ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EBD4D3, Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319712349.0000000000EBD000.00000040.00000001.sdmp, Offset: 00EBD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 70974ab4a4c2816a03f4b9a369bf25a07704c6fcdadf149384cc040b403512b7
                                            • Instruction ID: 45cd2e206582b39bb5cb516150410165a4334a7921f17a1a64c51160b4275f8b
                                            • Opcode Fuzzy Hash: 70974ab4a4c2816a03f4b9a369bf25a07704c6fcdadf149384cc040b403512b7
                                            • Instruction Fuzzy Hash: 57110876508280DFCF12CF10D9C4B56BF71FB94328F24C6A9D8051B616C33AD85ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EDD1CF, Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319805747.0000000000EDD000.00000040.00000001.sdmp, Offset: 00EDD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 13a5dd89c4e04e7b034098b9a6b3c5328201ea2187bf87cfbe925b6137f2990e
                                            • Instruction ID: 645707d7c53922b98932e4ed5443393a60f2593fe57ce8a482f2aecbcf7b9bb4
                                            • Opcode Fuzzy Hash: 13a5dd89c4e04e7b034098b9a6b3c5328201ea2187bf87cfbe925b6137f2990e
                                            • Instruction Fuzzy Hash: A6118B75908280DFCB11CF50D9C4B15BBB1FB84328F28C6AAD8495B766C33AD85ACB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 00F6608D, Relevance: 2.8, Strings: 2, Instructions: 273COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: U$U
                                            • API String ID: 0-2145350036
                                            • Opcode ID: 101f758bbfcb0ba24634748b6a9f26e004fc25c451ab93fb746b92587d2d11a6
                                            • Instruction ID: b134ed813d36eb1f8994a296537bd6b90ff97a4051f9260687c3742b7d0d149c
                                            • Opcode Fuzzy Hash: 101f758bbfcb0ba24634748b6a9f26e004fc25c451ab93fb746b92587d2d11a6
                                            • Instruction Fuzzy Hash: E5C15B74E042598FCB15CFA9D9806ADFBF2BF86304F24816AD844EB256D7309941DF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F660D0, Relevance: 2.8, Strings: 2, Instructions: 253COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: U$U
                                            • API String ID: 0-2145350036
                                            • Opcode ID: 22fe3a8b9de4673ecd360a65fd9b21100dd2bff8740fad7a849316ce5b3b17f9
                                            • Instruction ID: 8b7966aea96e2fc1a2769614a45706c8c4265845ca2939ee8d516e08e61b0134
                                            • Opcode Fuzzy Hash: 22fe3a8b9de4673ecd360a65fd9b21100dd2bff8740fad7a849316ce5b3b17f9
                                            • Instruction Fuzzy Hash: 58B12C74E042198BCB14CFA9D980AAEFBB6BF89304F24D16AD409EB355D7309941DF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F661BD, Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: U$U
                                            • API String ID: 0-2145350036
                                            • Opcode ID: 1f060748a5f39e3b13d44255f063f30a54e717224631f56b83af3690c06a9eb5
                                            • Instruction ID: 21240e3949cef6f46b02302f363a547831a39102f0fa90ac6323f42a394a96b8
                                            • Opcode Fuzzy Hash: 1f060748a5f39e3b13d44255f063f30a54e717224631f56b83af3690c06a9eb5
                                            • Instruction Fuzzy Hash: F2913C74E042199FCB14CFA9CA80AAEFBB2BF8A304F249559D405EB356D730AD41DF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F64D60, Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: ILEM$ILEM
                                            • API String ID: 0-1631672710
                                            • Opcode ID: f7a25d3afb877cfb5a1692c9cf118d04a53875e061b47756129b3e4022cf4d85
                                            • Instruction ID: c94afd759f2baafc3e299c50a72a58c54d6a1c6b3926e0dcb56559c3c5ad6966
                                            • Opcode Fuzzy Hash: f7a25d3afb877cfb5a1692c9cf118d04a53875e061b47756129b3e4022cf4d85
                                            • Instruction Fuzzy Hash: 2D616AB4E0421ADFCB04DFA5C9816EEFBF1BF99300F24855AD425AB214D734AA42DF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F65130, Relevance: 2.6, Strings: 2, Instructions: 107COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: *W@$*W@
                                            • API String ID: 0-3849317122
                                            • Opcode ID: 3b9e866c3ecdd14b788024f006d3a5115329f5eb5fb2bb46358f99d972c0c039
                                            • Instruction ID: 9bfe99cd89d8d4d8bcee67d487e29adeb67a0dd015611e7cbf55e62a4e8183f9
                                            • Opcode Fuzzy Hash: 3b9e866c3ecdd14b788024f006d3a5115329f5eb5fb2bb46358f99d972c0c039
                                            • Instruction Fuzzy Hash: 59411971E0460A9FCB04CFAAC9816AEFBF2BF99300F24C42AC415B7254D7349A419F94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F60471, Relevance: 2.6, Strings: 2, Instructions: 65COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: p$}9
                                            • API String ID: 0-2862454329
                                            • Opcode ID: aeed6d0298d3064e9b82d07ee9aa61bf727c55cc5d3c3ddbfd8b5701042529ed
                                            • Instruction ID: dd202ecbcf8a76eaa0d53639892eb06468a246fe6658f560b5891260e235ae84
                                            • Opcode Fuzzy Hash: aeed6d0298d3064e9b82d07ee9aa61bf727c55cc5d3c3ddbfd8b5701042529ed
                                            • Instruction Fuzzy Hash: 3021DE71E056589FEB19CFAB9C4469EFBF3AFC9200F14C1BAC858A6264DB7405458F11
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F61BF8, Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: CwCC
                                            • API String ID: 0-3453639414
                                            • Opcode ID: d489f3b4da9a3964fa7d3d8f556f2234ed7ba9847601e06ac5d0ecd840ab12f8
                                            • Instruction ID: 29e714f5344c2b3aab77b0c99447b42e55654e3850aa78ea341c5b0e15f7b5e9
                                            • Opcode Fuzzy Hash: d489f3b4da9a3964fa7d3d8f556f2234ed7ba9847601e06ac5d0ecd840ab12f8
                                            • Instruction Fuzzy Hash: 1E612675E05209DFCB04CFA9D481AEEFBB2FB89310F14852AD515AB254D3309A85DF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C17050, Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf6cefcf8a74b7e9203a5c8ea33390e52155aa0d26035ae752cf67f794b1446e
                                            • Instruction ID: a404facc1b1cff331e754ec7f6e0f8f151a7217de82f6f35319c0c191dc9bbf9
                                            • Opcode Fuzzy Hash: bf6cefcf8a74b7e9203a5c8ea33390e52155aa0d26035ae752cf67f794b1446e
                                            • Instruction Fuzzy Hash: 1512C4F1611F4ACBD710CF65ED881893BA1F786B28F904308D2616EAF1D7B8114AEF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C15054, Relevance: .3, Instructions: 265COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c38a6f6c755ca6a2f0b5bb880dc09c69d5b68f0bb473715ee29520365fef47ff
                                            • Instruction ID: 813c2dd04377ca50684266169ba6a31e5ab4e9000eb30484127621a9241a9044
                                            • Opcode Fuzzy Hash: c38a6f6c755ca6a2f0b5bb880dc09c69d5b68f0bb473715ee29520365fef47ff
                                            • Instruction Fuzzy Hash: 82A16F32E00219DFCF05DFB5C84459DB7B6FFC6304B25816AE905AB261DB35A915EF80
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C1704A, Relevance: .2, Instructions: 220COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aca9b794b65588599ce8430ad015b1cd00bb5729ba045435d51f20111f9320ae
                                            • Instruction ID: d1675481a53714ecdfe5719fa4474ea032749e3037c01988930027ef07da8de2
                                            • Opcode Fuzzy Hash: aca9b794b65588599ce8430ad015b1cd00bb5729ba045435d51f20111f9320ae
                                            • Instruction Fuzzy Hash: 3BC10AF1A11B4A8BD710CF64EC881897B71FB86B28F504308D1616FAF1D7B8148AEF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F65A90, Relevance: .2, Instructions: 211COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6cb064df21632cdc946d3c3992f26b082bb4287c02ecf6a65aafc94f8b0a61e
                                            • Instruction ID: cfa72e38d99d90433ff2a5b8beeb753e1984573835560f59c995470c4abe1401
                                            • Opcode Fuzzy Hash: d6cb064df21632cdc946d3c3992f26b082bb4287c02ecf6a65aafc94f8b0a61e
                                            • Instruction Fuzzy Hash: BCA11974E046198FCB14CFA9C9806ADFBF6BF89304F24C1A9D409A7355DB30AA41DF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F65A81, Relevance: .2, Instructions: 206COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5afebd37f137a74019a863c73028f1a7c32fc1107c6963f16d2ee431efbb04cb
                                            • Instruction ID: 9bbb7e45ee56bd138e33f3036f5e2077a32939cc21a8c64d012eb6456e3beda4
                                            • Opcode Fuzzy Hash: 5afebd37f137a74019a863c73028f1a7c32fc1107c6963f16d2ee431efbb04cb
                                            • Instruction Fuzzy Hash: F2911A74E046598FCB14CFA9C9806AEFBF2BF89304F24C1AAD419A7356DB309941DF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00884E38, Relevance: .2, Instructions: 204COMMONCrypto
                                            Download Yara Rule
                                            C-Code - Quality: 70%
                                            			E00884E38() {
				signed int _t9;
				signed char _t10;
				intOrPtr* _t11;
				signed char _t12;
				intOrPtr* _t14;
				signed char _t16;
				signed char _t18;
				signed int _t19;
				signed int _t20;
				signed char _t22;
				signed int _t24;
				signed int _t25;
				signed char _t26;
				signed int _t27;
				signed int _t28;
				signed char _t29;
				signed char _t30;
				signed char _t31;
				signed char _t32;
				signed char _t33;
				signed char _t34;
				signed char _t35;
				signed char _t36;
				signed char _t37;
				signed char _t38;
				signed char _t39;
				signed char _t41;
				signed int* _t42;
				intOrPtr* _t44;
				intOrPtr* _t46;

				_t10 = _t9 | 0x073e01d0;
				 *_t10 =  *_t10 + _t10;
				 *_t31 = _t42 +  *_t31;
				 *(_t10 + _t10) =  *(_t10 + _t10) ^ _t10;
				 *_t10 =  *_t10 | _t10;
				 *_t10 =  *_t10 + _t10;
				 *_t10 =  *_t10 + _t10;
				 *_t32 =  *_t32 + _t42;
				_t11 = _t10 +  *_t31;
				 *_t11 =  *_t11 - _t31;
				 *_t11 =  *_t11 + _t11;
				_t33 = _t32 |  *_t42;
				asm("adc esi, [eax]");
				_t12 = _t11 +  *_t11;
				_pop(es);
				 *_t12 =  *_t12 + _t12;
				 *_t33 =  *_t33 + _t12;
				 *_t12 =  *_t12 + _t12;
				asm("adc [edx], eax");
				 *_t33 =  *_t33 - _t31;
				 *_t12 =  *_t12 + _t12;
				_t34 = _t33 |  *_t42;
				 *_t31 = _t42 +  *_t31;
				 *_t31 =  *_t31 ^ _t12;
				 *_t44 =  *_t44 + _t12;
				 *_t12 =  *_t12 + _t12;
				 *_t34 =  *_t34 + _t12;
				 *_t12 =  *_t12 + _t12;
				asm("adc [edx], eax");
				 *_t42 =  *_t42 - _t31;
				 *_t12 =  *_t12 + _t12;
				_t35 = _t34 |  *_t42;
				 *_t31 = _t42 +  *_t31;
				 *_t31 =  *_t31 ^ _t12;
				 *_t44 =  *_t44 + _t12;
				 *_t12 =  *_t12 + _t12;
				 *_t35 =  *_t35 + _t12;
				 *_t12 =  *_t12 + _t12;
				asm("adc [edx], eax");
				asm("outsd");
				asm("sbb eax, [eax]");
				 *_t42 =  *_t42 + _t35;
				asm("adc esi, [eax]");
				_t14 = _t12 -  *_t12 +  *((intOrPtr*)(_t12 -  *_t12));
				_pop(es);
				 *_t14 =  *_t14 + _t14;
				 *_t35 =  *_t35 + _t14;
				 *_t14 =  *_t14 + _t14;
				asm("adc [edx], eax");
				asm("outsd");
				asm("sbb al, 0x0");
				 *_t42 =  *_t42 + _t35;
				asm("adc esi, [eax]");
				_t16 = _t14 -  *_t14;
				 *_t16 =  *_t16 | _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t16 =  *_t16 + _t16;
				 *_t35 =  *_t35 + _t42;
				asm("outsd");
				asm("sbb eax, 0x2a0a0000");
				asm("adc esi, [eax]");
				_t18 = _t16 +  *_t31 +  *((intOrPtr*)(_t16 +  *_t31));
				_pop(es);
				 *_t18 =  *_t18 + _t18;
				 *_t35 =  *_t35 + _t18;
				 *_t18 =  *_t18 + _t18;
				asm("adc [edx], eax");
				if( *_t18 < 0) {
					 *_t18 =  *_t18 + _t18;
					_t41 = _t35 |  *_t42;
					 *_t31 = _t42 +  *_t31;
					 *(_t18 + _t18) =  *(_t18 + _t18) ^ _t18;
					 *_t18 =  *_t18 | _t18;
					 *_t18 =  *_t18 + _t18;
					 *_t18 =  *_t18 + _t18;
					 *_t41 =  *_t41 + _t42;
					_t30 = _t18 +  *_t31;
					asm("outsd");
					_pop(ds);
					 *_t30 =  *_t30 + _t30;
					_t35 = _t41 |  *_t42;
					asm("adc esi, [eax]");
					_t18 = _t30;
					 *_t18 =  *_t18 | _t18;
				}
				 *_t18 =  *_t18 + _t18;
				 *_t35 =  *_t35 + _t18;
				 *_t18 =  *_t18 + _t18;
				asm("adc [edx], eax");
				 *_t18 =  *_t18 + _t18;
				_t36 = _t35 |  *_t42;
				asm("adc esi, [eax]");
				_t19 = _t18 +  *_t18;
				 *_t19 =  *_t19 + _t19;
				 *_t36 =  *_t36 + _t19;
				 *_t19 =  *_t19 + _t19;
				asm("adc [eax], ebp");
				 *_t19 =  *_t19 & _t19;
				 *_t42 =  *_t42 + _t36;
				_t20 = _t19 -  *_t19;
				 *_t31 = _t42 +  *_t31;
				 *_t31 =  *_t31 ^ _t20;
				 *_t44 =  *_t44 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t36 =  *_t36 + _t20;
				 *_t20 =  *_t20 + _t20;
				asm("adc [edx], eax");
				 *_t42 =  *_t42 - _t20;
				 *_t20 =  *_t20 + _t20;
				_t37 = _t36 |  *_t42;
				 *_t31 = _t42 +  *_t31;
				 *_t31 =  *_t31 ^ _t20;
				 *_t46 =  *_t46 + _t20;
				 *_t20 =  *_t20 + _t20;
				 *_t37 =  *_t37 + _t20;
				 *_t20 =  *_t20 + _t20;
				asm("adc [eax], ebp");
				 *_t42 =  *_t42 + _t37;
				_t22 = (_t20 &  *_t20) -  *(_t20 &  *_t20);
				 *_t31 = _t42 +  *_t31;
				 *_t31 =  *_t31 ^ _t22;
				 *_t46 =  *_t46 + _t22;
				 *_t22 =  *_t22 + _t22;
				 *_t37 =  *_t37 + _t22;
				 *_t22 =  *_t22 + _t22;
				asm("adc [eax], ebp");
				 *_t42 =  *_t42 + _t37;
				_t24 = (_t22 & 0x00000000) -  *(_t22 & 0x00000000);
				 *_t31 = _t42 +  *_t31;
				 *_t31 =  *_t31 ^ _t24;
				 *_t46 =  *_t46 + _t24;
				 *_t24 =  *_t24 + _t24;
				 *_t37 =  *_t37 + _t24;
				 *_t24 =  *_t24 + _t24;
				asm("adc [eax], ebp");
				_t25 = _t24 & 0x2a0a0000;
				 *_t25 =  *_t25 + _t25;
				asm("adc esi, [eax]");
				_t26 = _t25 +  *_t25;
				es = es;
				 *_t26 =  *_t26 + _t26;
				 *_t37 =  *_t37 + _t26;
				 *_t26 =  *_t26 + _t26;
				asm("adc [edx], eax");
				asm("outsd");
				 *[es:eax] =  *[es:eax] + _t26;
				_t38 = _t37 |  *_t42;
				 *_t31 = _t42 +  *_t31;
				 *_t31 =  *_t31 ^ _t26;
				 *_t44 =  *_t44 + _t26;
				 *_t26 =  *_t26 + _t26;
				 *_t38 =  *_t38 + _t26;
				 *_t26 =  *_t26 + _t26;
				asm("adc [edx], eax");
				asm("outsd");
				asm("daa");
				 *_t26 =  *_t26 + _t26;
				_t39 = _t38 |  *_t42;
				 *_t31 = _t42 +  *_t31;
				 *_t31 =  *_t31 ^ _t26;
				 *_t44 =  *_t44 + _t26;
				 *_t26 =  *_t26 + _t26;
				 *_t39 =  *_t39 + _t26;
				 *_t26 =  *_t26 + _t26;
				asm("adc [edx], eax");
				asm("outsd");
				 *_t26 =  *_t26 - _t26;
				 *_t42 =  *_t42 + _t39;
				_t27 = _t26 -  *_t26;
				asm("adc esi, [eax]");
				 *_t27 =  *_t27 | _t27;
				asm("adc al, 0x1");
				 *_t27 =  *_t27 + _t27;
				_t28 = _t27;
				 *_t39 =  *_t39 + _t42;
				 *_t28 =  *_t28 + _t28;
				 *(_t28 + 0x58) =  *(_t28 + 0x58) & _t31;
				asm("a16 adc al, 0x20");
				asm("fist word [edi-0x7d]");
				asm("popad");
				_t29 = _t28 & 0x5e1e0813;
				 *_t29 =  *_t29 | _t29;
				 *_t29 =  *_t29 + _t29;
				asm("retf");
				asm("invalid");
				goto [far dword [edi+0x23000000];
			}

































                                            0x00884e38
                                            0x00884e3d
                                            0x00884e3f
                                            0x00884e41
                                            0x00884e44
                                            0x00884e46
                                            0x00884e48
                                            0x00884e4a
                                            0x00884e4c
                                            0x00884e4e
                                            0x00884e50
                                            0x00884e52
                                            0x00884e54
                                            0x00884e56
                                            0x00884e58
                                            0x00884e59
                                            0x00884e5b
                                            0x00884e5d
                                            0x00884e5f
                                            0x00884e61
                                            0x00884e63
                                            0x00884e65
                                            0x00884e67
                                            0x00884e69
                                            0x00884e6b
                                            0x00884e6d
                                            0x00884e6f
                                            0x00884e71
                                            0x00884e73
                                            0x00884e75
                                            0x00884e77
                                            0x00884e79
                                            0x00884e7b
                                            0x00884e7d
                                            0x00884e7f
                                            0x00884e81
                                            0x00884e83
                                            0x00884e85
                                            0x00884e87
                                            0x00884e89
                                            0x00884e8a
                                            0x00884e8c
                                            0x00884e90
                                            0x00884e92
                                            0x00884e94
                                            0x00884e95
                                            0x00884e97
                                            0x00884e99
                                            0x00884e9b
                                            0x00884e9d
                                            0x00884e9e
                                            0x00884ea0
                                            0x00884ea4
                                            0x00884ea6
                                            0x00884ea8
                                            0x00884eaa
                                            0x00884eac
                                            0x00884eae
                                            0x00884eb2
                                            0x00884eb3
                                            0x00884eb8
                                            0x00884eba
                                            0x00884ebc
                                            0x00884ebd
                                            0x00884ebf
                                            0x00884ec1
                                            0x00884ec3
                                            0x00884ec5
                                            0x00884ec7
                                            0x00884ec9
                                            0x00884ecb
                                            0x00884ecd
                                            0x00884ed0
                                            0x00884ed2
                                            0x00884ed4
                                            0x00884ed6
                                            0x00884ed8
                                            0x00884eda
                                            0x00884edb
                                            0x00884edc
                                            0x00884ede
                                            0x00884ee0
                                            0x00884ee2
                                            0x00884ee4
                                            0x00884ee4
                                            0x00884ee5
                                            0x00884ee7
                                            0x00884ee9
                                            0x00884eeb
                                            0x00884ef0
                                            0x00884ef2
                                            0x00884ef4
                                            0x00884ef6
                                            0x00884ef9
                                            0x00884efb
                                            0x00884efd
                                            0x00884eff
                                            0x00884f01
                                            0x00884f03
                                            0x00884f05
                                            0x00884f07
                                            0x00884f09
                                            0x00884f0b
                                            0x00884f0d
                                            0x00884f0f
                                            0x00884f11
                                            0x00884f13
                                            0x00884f15
                                            0x00884f17
                                            0x00884f19
                                            0x00884f1b
                                            0x00884f1d
                                            0x00884f1f
                                            0x00884f21
                                            0x00884f23
                                            0x00884f25
                                            0x00884f27
                                            0x00884f2b
                                            0x00884f2d
                                            0x00884f2f
                                            0x00884f31
                                            0x00884f33
                                            0x00884f35
                                            0x00884f37
                                            0x00884f39
                                            0x00884f3b
                                            0x00884f3f
                                            0x00884f41
                                            0x00884f43
                                            0x00884f45
                                            0x00884f47
                                            0x00884f49
                                            0x00884f4b
                                            0x00884f4d
                                            0x00884f4f
                                            0x00884f51
                                            0x00884f56
                                            0x00884f58
                                            0x00884f5a
                                            0x00884f5c
                                            0x00884f5d
                                            0x00884f5f
                                            0x00884f61
                                            0x00884f63
                                            0x00884f65
                                            0x00884f66
                                            0x00884f69
                                            0x00884f6b
                                            0x00884f6d
                                            0x00884f6f
                                            0x00884f71
                                            0x00884f73
                                            0x00884f75
                                            0x00884f77
                                            0x00884f79
                                            0x00884f7a
                                            0x00884f7b
                                            0x00884f7d
                                            0x00884f7f
                                            0x00884f81
                                            0x00884f83
                                            0x00884f85
                                            0x00884f87
                                            0x00884f89
                                            0x00884f8b
                                            0x00884f8d
                                            0x00884f8e
                                            0x00884f90
                                            0x00884f92
                                            0x00884f94
                                            0x00884f96
                                            0x00884f98
                                            0x00884f9a
                                            0x00884f9c
                                            0x00884f9e
                                            0x00884fa3
                                            0x00884fa7
                                            0x00884faa
                                            0x00884fad
                                            0x00884fb1
                                            0x00884fb2
                                            0x00884fb8
                                            0x00884fba
                                            0x00884fbc
                                            0x00884fbd
                                            0x00884fbf

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319039477.0000000000882000.00000002.00020000.sdmp, Offset: 00880000, based on PE: true
                                            • Associated: 00000000.00000002.319028583.0000000000880000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.319140028.0000000000916000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dfee4ac61fd84075924df4b87c2e662c2b39d67ef6a4e0c9fc05e21d437382a1
                                            • Instruction ID: d9218ac8e7d6ffa54744730fc470108356b216e9668a8c7ec05522b36abfbb9e
                                            • Opcode Fuzzy Hash: dfee4ac61fd84075924df4b87c2e662c2b39d67ef6a4e0c9fc05e21d437382a1
                                            • Instruction Fuzzy Hash: 1A81F56540F7D28FCB534B7899B02917FB1AE4B22431E09DBC4C0CF1A7D269295AD723
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F63EC0, Relevance: .2, Instructions: 177COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d1a6a9ff53fb2cd82e8d927eb753467c26312b10dfbcc68bc7fb541ee8382af0
                                            • Instruction ID: fafee0f1ce1a7bbd5cb26ae4d81a191d47630153a63e6b5bc42bf025049f6d6b
                                            • Opcode Fuzzy Hash: d1a6a9ff53fb2cd82e8d927eb753467c26312b10dfbcc68bc7fb541ee8382af0
                                            • Instruction Fuzzy Hash: A6710175E1520ADFCB08CFA9D58499EFBF1FF88310F14956AE419AB224D734AA41CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F63ED0, Relevance: .2, Instructions: 174COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 34e4cd9620225247f409fcaf7b0190a0f817c25de1451a458a92bd51ca292af5
                                            • Instruction ID: 961dac842197e76872535082e03858ad6a79f1b88a6e0071db1dcfe6c748a31b
                                            • Opcode Fuzzy Hash: 34e4cd9620225247f409fcaf7b0190a0f817c25de1451a458a92bd51ca292af5
                                            • Instruction Fuzzy Hash: 42710075E05209DFCB08CF99E58099EFBF1FF88310F14956AE429AB224D734AA41DF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F65350, Relevance: .2, Instructions: 173COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 364dd4afb35d7da21777bd2b0298174b09f633fb29e927ffa6aa8f82605fdf85
                                            • Instruction ID: 6e62de9c95f08a7fbee7d1a401ce51131b462c558c6db21f825ba8320a81741e
                                            • Opcode Fuzzy Hash: 364dd4afb35d7da21777bd2b0298174b09f633fb29e927ffa6aa8f82605fdf85
                                            • Instruction Fuzzy Hash: B6710F76E15609CFCB08CFA9D5859DEFBF2EF88750F24942AD405B7318D3309A429B64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F65340, Relevance: .2, Instructions: 173COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bbd0ab638383df14d245e7d266ab185b8272725d9bac7033e1872a3d65b165c9
                                            • Instruction ID: 6fff49427a9d95382502bee875d4e9eb719bf1d9f7225018eae848ab858cbe93
                                            • Opcode Fuzzy Hash: bbd0ab638383df14d245e7d266ab185b8272725d9bac7033e1872a3d65b165c9
                                            • Instruction Fuzzy Hash: 22712276E156098FCB08CFA9C5859DEFBF2FF89710F24946AD405B7328D3309A429B64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F64A70, Relevance: .2, Instructions: 162COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7478f252a896f91bd3bfcf822687817231bd9d1cea823e32534ec20eb580095a
                                            • Instruction ID: 2104ee331549fffd223ff47781f1a750146165452b1eda12a485789f12a2ae6b
                                            • Opcode Fuzzy Hash: 7478f252a896f91bd3bfcf822687817231bd9d1cea823e32534ec20eb580095a
                                            • Instruction Fuzzy Hash: 1F71F4B4E4420ADFCB04DF99D5809AEFBB2FF89350F24951AD415AB310C734A982DF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F64A61, Relevance: .2, Instructions: 158COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7683578745e1622103e5dc4933c091537de6cf8baaa0d3f1ffb223d2964e6007
                                            • Instruction ID: 229fad73a74a87afb7a6e100980f93aa7e11b40c98e438f45cade1b62dc9f305
                                            • Opcode Fuzzy Hash: 7683578745e1622103e5dc4933c091537de6cf8baaa0d3f1ffb223d2964e6007
                                            • Instruction Fuzzy Hash: 2961F275E4424ADFCB04DFA9C5809AEFBB2FF89310F28856AD415A7311C734A982DF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A30007, Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29fb343d85ccfca05274124e6fcb43be8e3484d4b3b399d6e6cfef01dac08d14
                                            • Instruction ID: ec65689b3fdac92233489b7ab5095ce407230dd60499c78b221081fcd575fede
                                            • Opcode Fuzzy Hash: 29fb343d85ccfca05274124e6fcb43be8e3484d4b3b399d6e6cfef01dac08d14
                                            • Instruction Fuzzy Hash: D2515B75D0561A8BCB28CF66C94479ABBF2FFCA300F14D2EAD409A7615EB705A858F40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A30040, Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a36c10a44ac3650e114ac08a1a2254730759185966560b0cb9c40e0c27dcfaa
                                            • Instruction ID: c3719e0450e07d97b4e47a27ec88cbd5d3c5434ab15048ee10740809afefcdd8
                                            • Opcode Fuzzy Hash: 5a36c10a44ac3650e114ac08a1a2254730759185966560b0cb9c40e0c27dcfaa
                                            • Instruction Fuzzy Hash: 8F513C75E0461A8BCB28CF66D944BE9BBB2FFC9300F10D1BAD509A7614EB705A858F40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F655E0, Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.319936679.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cbe3ed7c6e43705c85499fda74f71a4b80a6a2187ff80433d1f32a22ed020d94
                                            • Instruction ID: 6932a6d668210a211c3334ab253cf6229c642127462f1cc13752788569622e45
                                            • Opcode Fuzzy Hash: cbe3ed7c6e43705c85499fda74f71a4b80a6a2187ff80433d1f32a22ed020d94
                                            • Instruction Fuzzy Hash: EA41F4B5E0560ADFCB08CFAAC5805AEFBF2BB89300F64D56AC405B7214D7349A41DF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05A30270, Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.327938103.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f7168c95af89373198e1db79c580e9212421c5760ea01edb4ab1c187d2e06ba3
                                            • Instruction ID: 791749dc607559b114094b7aecc4da43ecd3a6b6a75b79e254e7b0d813adbce2
                                            • Opcode Fuzzy Hash: f7168c95af89373198e1db79c580e9212421c5760ea01edb4ab1c187d2e06ba3
                                            • Instruction Fuzzy Hash: FF412975D5461ACBCB64CF65D984BE9BBB2FF89300F1096E6D009A6610EB709AC58F40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C19B28, Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f6f35fa4c7f6089ada80d363963c931e90fa66fc782a749497917a7dcf5b7da2
                                            • Instruction ID: 44b315bf6cb5e842a5a2edd6d4e1969317ef5b41174cb46e3765f118275df49c
                                            • Opcode Fuzzy Hash: f6f35fa4c7f6089ada80d363963c931e90fa66fc782a749497917a7dcf5b7da2
                                            • Instruction Fuzzy Hash: C23179B9D052589FCB14CFA9E584ADEFBF1BB49314F14902AE414B7310D334AA45CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02C19B30, Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.321464985.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29ad0ddb3c5d2cc477c81e6507ed5cf2e6b99f963e119fe1f7eed6269be0da20
                                            • Instruction ID: 1fbf4185310c8413febe8e9c6e06eb13b38bdf018e6a59cc96260e1acc2eab07
                                            • Opcode Fuzzy Hash: 29ad0ddb3c5d2cc477c81e6507ed5cf2e6b99f963e119fe1f7eed6269be0da20
                                            • Instruction Fuzzy Hash: 473189B5D052589FCB10CFA9D984ADEFBF5BB49314F14902AE414B7310D734A945CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Analysis Process: Faktura_21611447.exe PID: 5800 Parent PID: 4632 Faktura_21611447.exeCOMMON

                                            Executed Functions

                                            Function 02966B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 02966BB0
                                            • GetCurrentThread.KERNEL32 ref: 02966BED
                                            • GetCurrentProcess.KERNEL32 ref: 02966C2A
                                            • GetCurrentThreadId.KERNEL32 ref: 02966C83
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.493212348.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: a2c8f0e08579ec42d1ddebe6972550126aa0fc5fc0ad42ef47e09f9f1ec57a10
                                            • Instruction ID: 97992c7979b08f68220dac692b8fa1202661cf3cdd88205f5080bb5e8d738f54
                                            • Opcode Fuzzy Hash: a2c8f0e08579ec42d1ddebe6972550126aa0fc5fc0ad42ef47e09f9f1ec57a10
                                            • Instruction Fuzzy Hash: 8B5145B0A007898FDB14CFA9C6487AEBBF5EF49314F208459E019B7350DB786945CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02965184, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 029652A2
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.493212348.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: a465166a9db8c44f1b66eefb2a9f6ea1f963a32a2f122a4792feec05d435249b
                                            • Instruction ID: 439a1d8d40f5bb8cb260ac249c33d501add6113f0de23833c777404775a123c8
                                            • Opcode Fuzzy Hash: a465166a9db8c44f1b66eefb2a9f6ea1f963a32a2f122a4792feec05d435249b
                                            • Instruction Fuzzy Hash: 7E51E2B1D00348AFDB14CFA9C884ADEBBF5FF48314F65852AE815AB210D7749885CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02965190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 029652A2
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.493212348.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 133ef521ff783678497418b21c53c48c21139334441719d1e4f6668efcc618df
                                            • Instruction ID: b5b1ca86825fd865cd4d36ee9a95a66a22ead619f5cb403eea3fc02972cf4cb3
                                            • Opcode Fuzzy Hash: 133ef521ff783678497418b21c53c48c21139334441719d1e4f6668efcc618df
                                            • Instruction Fuzzy Hash: 9B41CFB1D00349AFDB14CF99C884ADEBBF5FF48314F65852AE819AB210D7749885CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02966964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 02967D01
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.493212348.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 7ad32d17d1950bd697ae8f20fda1b96feb91a7084e247634303458a74cc4b70a
                                            • Instruction ID: 252f06ea7874ca4fc2f47955babc2aad1728a0f34baa42ef01ddd97a81532db3
                                            • Opcode Fuzzy Hash: 7ad32d17d1950bd697ae8f20fda1b96feb91a7084e247634303458a74cc4b70a
                                            • Instruction Fuzzy Hash: BC4108B5A00345DFDB14CF99C548AAAFBF5FF88318F148859E519AB361D734A841CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0296C3B9, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 0296C442
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.493212348.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: b52acafc75e6f480d359c1b063062b41449eeb4d1ec9648619d8fc45c9718ca1
                                            • Instruction ID: 5e93ef5f914d6c5b15462cc1d7fcf5420714fea6d515b9dc0cf123f92afaa84c
                                            • Opcode Fuzzy Hash: b52acafc75e6f480d359c1b063062b41449eeb4d1ec9648619d8fc45c9718ca1
                                            • Instruction Fuzzy Hash: B031B2709053858FDB10DF68D5083FEBFF0EB86328F14846AD488A7642C779541ACFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02966D72, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02966DFF
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.493212348.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 83aa7bf4718d9d1c9a3b3319a1e54efed942d840566e56fd80b9f06ec464f441
                                            • Instruction ID: 1664bc55d60142739b8539d50708c05f5bd54883fde401c745a513a6c924d092
                                            • Opcode Fuzzy Hash: 83aa7bf4718d9d1c9a3b3319a1e54efed942d840566e56fd80b9f06ec464f441
                                            • Instruction Fuzzy Hash: 0421E4B5D00248AFDB10CFA9D484AEEBBF8EB48324F14841AE914B7310D378A955CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02966D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02966DFF
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.493212348.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 5fc9cd6969456c96b90f59830d63f1fb3ccc97e464b3099505832269d3dbc6de
                                            • Instruction ID: dbcbc1564ad799f0969377f0688eb2b6bd86588f47e3e9a8333fb6ae8893831d
                                            • Opcode Fuzzy Hash: 5fc9cd6969456c96b90f59830d63f1fb3ccc97e464b3099505832269d3dbc6de
                                            • Instruction Fuzzy Hash: C321C4B5900248AFDB10CF99D984AEEBBF8EB48324F14841AE914A7350D378A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0296C3C8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 0296C442
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.493212348.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: 0fc17a82a62469b6c3ca09679a90cbe5a6d3d6823ec3af4881459b61852496fa
                                            • Instruction ID: d88ce8200c969542bb3a79b4eff0b4a424a256992dafd0ed203cd585cf3ef1e2
                                            • Opcode Fuzzy Hash: 0fc17a82a62469b6c3ca09679a90cbe5a6d3d6823ec3af4881459b61852496fa
                                            • Instruction Fuzzy Hash: 3B119D70A003498FDB10DFA8C5087AEBFF4EB4A328F10842AE448A3640C738A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0101D01C, Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.492755586.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1ce436e74c01ac01aaa7649a59e94a432c1c3a47b242630540103aae77c4e622
                                            • Instruction ID: 817d4386e5dabedaff769e0a22cba5e05675576257ee086cfdd7e6aa4b47331a
                                            • Opcode Fuzzy Hash: 1ce436e74c01ac01aaa7649a59e94a432c1c3a47b242630540103aae77c4e622
                                            • Instruction Fuzzy Hash: 8C213A75504240DFCB16CF54D8C8B2ABBA1FB84354F24C5ADF9894B24AC33AD847C761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0101D017, Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.492755586.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 13a5dd89c4e04e7b034098b9a6b3c5328201ea2187bf87cfbe925b6137f2990e
                                            • Instruction ID: cf3979f1926876a3db597377d8de89962bb666c1f8116d4329703010e8451f5a
                                            • Opcode Fuzzy Hash: 13a5dd89c4e04e7b034098b9a6b3c5328201ea2187bf87cfbe925b6137f2990e
                                            • Instruction Fuzzy Hash: 7C119075504280DFDB12CF54D5C4B15FFA1FB44314F24C6AAE8494B65AC33AD44ACB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions