Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report HT210525 IV Quotation.exe

Overview

General Information

Sample Name:HT210525 IV Quotation.exe
Analysis ID:433221
MD5:8ea3cb0d331f0a8414e5b2ecfce3abf3
SHA1:4c690653287b4b783b46ec4991d71d81ca527dbc
SHA256:e2b3c7e7061e68aa31813371c589b7b0b11b12750fab1ce87f5ea7cca9740563
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to detect virtual machines (SGDT)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • HT210525 IV Quotation.exe (PID: 6688 cmdline: 'C:\Users\user\Desktop\HT210525 IV Quotation.exe' MD5: 8EA3CB0D331F0A8414E5B2ECFCE3ABF3)
    • schtasks.exe (PID: 6588 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KEehxxQTfXmag' /XML 'C:\Users\user\AppData\Local\Temp\tmpCED.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6684 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 6676 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • NewApp.exe (PID: 6868 cmdline: 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NewApp.exe (PID: 5396 cmdline: 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "accounts@buynsell.com.pkTZaQ}N$m+6$vmail.buynsell.com.pkmaria@tradzilanilaw.co.za"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000D.00000000.440537158.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.HT210525 IV Quotation.exe.3bb5278.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.HT210525 IV Quotation.exe.3bb5278.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.HT210525 IV Quotation.exe.3bb5278.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.HT210525 IV Quotation.exe.3bb5278.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    13.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "accounts@buynsell.com.pkTZaQ}N$m+6$vmail.buynsell.com.pkmaria@tradzilanilaw.co.za"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\KEehxxQTfXmag.exeReversingLabs: Detection: 58%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: HT210525 IV Quotation.exeVirustotal: Detection: 39%Perma Link
                      Source: HT210525 IV Quotation.exeReversingLabs: Detection: 58%
                      Source: 13.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeUnpacked PE file: 0.2.HT210525 IV Quotation.exe.540000.0.unpack
                      Source: HT210525 IV Quotation.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: HT210525 IV Quotation.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000002.601017692.0000000005E50000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.509003521.0000000000D22000.00000002.00020000.sdmp, NewApp.exe, 00000016.00000000.524405715.00000000006C2000.00000002.00020000.sdmp, NewApp.exe.13.dr
                      Source: Binary string: RegSvcs.pdb source: NewApp.exe, NewApp.exe.13.dr
                      Source: RegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmpString found in binary or memory: http://IsXVMb.com
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442922182.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.335108063.0000000005C2E000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.335492406.0000000005C4D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.335492406.0000000005C4D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.335492406.0000000005C4D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000003.340397452.0000000005C2B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.341632770.0000000005C2B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers#2Oc
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.338826050.0000000005C4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.341139830.0000000005C4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.341394504.0000000005C4C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlp
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.338875299.0000000005C2B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/n
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.341374586.0000000005C2B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersK2
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.339726935.0000000005C2B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersU2
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442801605.0000000001147000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442801605.0000000001147000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come.com
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442801605.0000000001147000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.como$
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.334510475.0000000005C46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.334541105.0000000005C4C000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000003.334031759.0000000005C2C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.334541105.0000000005C4C000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000003.333367785.0000000005C4C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.333302020.0000000005C4C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/nt
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.333988336.0000000005C4E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-da
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.334431042.0000000005C46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnak
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.333982038.0000000005C46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-p
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.333853304.0000000005C4E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnuct
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.343375719.0000000005C4C000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.343733436.0000000005C4C000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krg
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krny
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.344381296.0000000005C4C000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.333167937.0000000005C4B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.333167937.0000000005C4B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr=
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krim
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.333167937.0000000005C4B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kru
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.335681000.0000000005C4D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.335681000.0000000005C4D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslntp
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.338826050.0000000005C4B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.341835039.0000000005C4C000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de#
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.341835039.0000000005C4C000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deFr(
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.338545084.0000000005C4B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dewa
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: HT210525 IV Quotation.exe, 00000000.00000003.335295630.0000000005C4D000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442105087.0000000000DD8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 13.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8BF639BFu002dB050u002d491Au002dB7C3u002d9B4E757F287Eu007d/EE632A4Bu002d7496u002d4EB8u002d973Du002dC6A9FD69F6EE.csLarge array initialization: .cctor: array initializer size 12026
                      Source: 13.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8BF639BFu002dB050u002d491Au002dB7C3u002d9B4E757F287Eu007d/EE632A4Bu002d7496u002d4EB8u002d973Du002dC6A9FD69F6EE.csLarge array initialization: .cctor: array initializer size 12026
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: HT210525 IV Quotation.exe
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_00DC01A4 NtQueryInformationProcess,0_2_00DC01A4
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_00DC33A0 NtQueryInformationProcess,0_2_00DC33A0
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_04AA2BF8 NtUnmapViewOfSection,0_2_04AA2BF8
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_04AA2BF0 NtUnmapViewOfSection,0_2_04AA2BF0
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_00DC2C780_2_00DC2C78
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_00DC31700_2_00DC3170
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_00DC36C80_2_00DC36C8
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_00DC04710_2_00DC0471
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_00DC31610_2_00DC3161
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_00DC36B80_2_00DC36B8
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_04AA0EB00_2_04AA0EB0
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_04AA0EA10_2_04AA0EA1
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_04AA08810_2_04AA0881
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_04AA10EC0_2_04AA10EC
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_04AA00070_2_04AA0007
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_04AA00400_2_04AA0040
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_04AA11400_2_04AA1140
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_04AA115C0_2_04AA115C
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_0570EC480_2_0570EC48
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_057094A80_2_057094A8
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_057094980_2_05709498
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_05708E300_2_05708E30
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_057056380_2_05705638
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_05708E210_2_05708E21
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_057056280_2_05705628
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_05708B850_2_05708B85
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_05708B880_2_05708B88
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_0570D2780_2_0570D278
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_014B486013_2_014B4860
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_014B479013_2_014B4790
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_014B481013_2_014B4810
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_014BDA2013_2_014BDA20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FB753813_2_05FB7538
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FB94F813_2_05FB94F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FB692013_2_05FB6920
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FB6C6813_2_05FB6C68
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                      Source: HT210525 IV Quotation.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: KEehxxQTfXmag.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: HT210525 IV Quotation.exeBinary or memory string: OriginalFilename vs HT210525 IV Quotation.exe
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.454899626.000000000EBC0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs HT210525 IV Quotation.exe
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.454521545.0000000008F10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs HT210525 IV Quotation.exe
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCXJCmeIpHLhzNZNIEmFUISrE.exe4 vs HT210525 IV Quotation.exe
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.446272357.0000000003C86000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs HT210525 IV Quotation.exe
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.446272357.0000000003C86000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameeNX0.exe: vs HT210525 IV Quotation.exe
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.443521703.0000000002BE5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs HT210525 IV Quotation.exe
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.455028919.000000000ECB0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs HT210525 IV Quotation.exe
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.455028919.000000000ECB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs HT210525 IV Quotation.exe
                      Source: HT210525 IV Quotation.exeBinary or memory string: OriginalFilenameeNX0.exe: vs HT210525 IV Quotation.exe
                      Source: HT210525 IV Quotation.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@12/8@0/0
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeFile created: C:\Users\user\AppData\Roaming\KEehxxQTfXmag.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3500:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_01
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCED.tmpJump to behavior
                      Source: HT210525 IV Quotation.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: HT210525 IV Quotation.exeVirustotal: Detection: 39%
                      Source: HT210525 IV Quotation.exeReversingLabs: Detection: 58%
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeFile read: C:\Users\user\Desktop\HT210525 IV Quotation.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\HT210525 IV Quotation.exe 'C:\Users\user\Desktop\HT210525 IV Quotation.exe'
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KEehxxQTfXmag' /XML 'C:\Users\user\AppData\Local\Temp\tmpCED.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KEehxxQTfXmag' /XML 'C:\Users\user\AppData\Local\Temp\tmpCED.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: HT210525 IV Quotation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: HT210525 IV Quotation.exeStatic file information: File size 1129472 > 1048576
                      Source: HT210525 IV Quotation.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000002.601017692.0000000005E50000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.509003521.0000000000D22000.00000002.00020000.sdmp, NewApp.exe, 00000016.00000000.524405715.00000000006C2000.00000002.00020000.sdmp, NewApp.exe.13.dr
                      Source: Binary string: RegSvcs.pdb source: NewApp.exe, NewApp.exe.13.dr

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeUnpacked PE file: 0.2.HT210525 IV Quotation.exe.540000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeUnpacked PE file: 0.2.HT210525 IV Quotation.exe.540000.0.unpack
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_00545746 push esi; ret 0_2_00545747
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_0054241B push esi; retf 0_2_00542439
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_04AA1831 push edi; ret 0_2_04AA1833
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.09066912036
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.09066912036
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeFile created: C:\Users\user\AppData\Roaming\KEehxxQTfXmag.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KEehxxQTfXmag' /XML 'C:\Users\user\AppData\Local\Temp\tmpCED.tmp'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewAppJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewAppJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: HT210525 IV Quotation.exe PID: 6688, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeCode function: 0_2_00DC7B19 sgdt fword ptr [eax]0_2_00DC7B19
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2008Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7784Jump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe TID: 6752Thread sleep time: -55000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exe TID: 6736Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 4964Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 5496Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: RegSvcs.exe, 0000000D.00000002.600743634.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: RegSvcs.exe, 0000000D.00000002.600743634.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: RegSvcs.exe, 0000000D.00000002.600743634.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442341794.0000000000E5E000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442341794.0000000000E5E000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: HT210525 IV Quotation.exe, 00000000.00000002.442978805.0000000002ADF000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: RegSvcs.exe, 0000000D.00000002.600743634.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Sample uses process hollowing techniqueShow sources
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 400000Jump to behavior
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000Jump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000Jump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B30008Jump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KEehxxQTfXmag' /XML 'C:\Users\user\AppData\Local\Temp\tmpCED.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                      Source: RegSvcs.exe, 0000000D.00000002.597004930.00000000016F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 0000000D.00000002.597004930.00000000016F0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 0000000D.00000002.597004930.00000000016F0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                      Source: RegSvcs.exe, 0000000D.00000002.597004930.00000000016F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Users\user\Desktop\HT210525 IV Quotation.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_05FB58F4 GetUserNameW,13_2_05FB58F4
                      Source: C:\Users\user\Desktop\HT210525 IV Quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.440537158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.440537158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6676, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: HT210525 IV Quotation.exe PID: 6688, type: MEMORY
                      Source: Yara matchFile source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6676, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.440537158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.440537158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6676, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: HT210525 IV Quotation.exe PID: 6688, type: MEMORY
                      Source: Yara matchFile source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.HT210525 IV Quotation.exe.3bb5278.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection312Masquerading1Input Capture1Security Software Discovery321Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1File and Directory Permissions Modification1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsShared Modules1Logon Script (Windows)Registry Run Keys / Startup Folder1Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion151SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion151NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection312LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information2Proc FilesystemSystem Information Discovery113Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing22/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 433221 Sample: HT210525 IV Quotation.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 9 other signatures 2->53 7 HT210525 IV Quotation.exe 6 2->7         started        11 NewApp.exe 2 2->11         started        13 NewApp.exe 1 2->13         started        process3 file4 29 C:\Users\user\AppData\...\KEehxxQTfXmag.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\Temp\tmpCED.tmp, XML 7->31 dropped 33 C:\Users\...\HT210525 IV Quotation.exe.log, ASCII 7->33 dropped 55 Writes to foreign memory regions 7->55 57 Sample uses process hollowing technique 7->57 59 Injects a PE file into a foreign processes 7->59 15 RegSvcs.exe 2 4 7->15         started        19 RegSvcs.exe 7->19         started        21 schtasks.exe 1 7->21         started        23 conhost.exe 11->23         started        25 conhost.exe 13->25         started        signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\...35ewApp.exe, PE32 15->35 dropped 37 C:\Windows\System32\drivers\etc\hosts, ASCII 15->37 dropped 39 Modifies the hosts file 15->39 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->41 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->43 45 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->45 27 conhost.exe 21->27         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      HT210525 IV Quotation.exe39%VirustotalBrowse
                      HT210525 IV Quotation.exe59%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\KEehxxQTfXmag.exe59%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      C:\Users\user\AppData\Roaming\NewApp\NewApp.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\NewApp\NewApp.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      13.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      13.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      0.2.HT210525 IV Quotation.exe.540000.0.unpack100%AviraHEUR/AGEN.1123468Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnak0%Avira URL Cloudsafe
                      http://www.carterandcone.comn-u0%URL Reputationsafe
                      http://www.carterandcone.comn-u0%URL Reputationsafe
                      http://www.carterandcone.comn-u0%URL Reputationsafe
                      http://www.carterandcone.comn-u0%URL Reputationsafe
                      http://IsXVMb.com0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.founder.c0%URL Reputationsafe
                      http://www.founder.c0%URL Reputationsafe
                      http://www.founder.c0%URL Reputationsafe
                      http://www.founder.c0%URL Reputationsafe
                      http://www.urwpp.deFr(0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.founder.com.cn/cnt-p0%Avira URL Cloudsafe
                      http://www.goodfont.co.krny0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.dewa0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.goodfont.co.krg0%Avira URL Cloudsafe
                      http://www.tiro.comslntp0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr=0%Avira URL Cloudsafe
                      http://www.urwpp.de#0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cnuct0%Avira URL Cloudsafe
                      http://www.sandoll.co.kru0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.carterandcone.comTC0%URL Reputationsafe
                      http://www.carterandcone.comTC0%URL Reputationsafe
                      http://www.carterandcone.comTC0%URL Reputationsafe
                      http://www.fontbureau.como$0%Avira URL Cloudsafe
                      http://www.sandoll.co.krn0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/nt0%Avira URL Cloudsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1RegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cnakHT210525 IV Quotation.exe, 00000000.00000003.334431042.0000000005C46000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.carterandcone.comn-uHT210525 IV Quotation.exe, 00000000.00000003.335492406.0000000005C4D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://IsXVMb.comRegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/?HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersU2HT210525 IV Quotation.exe, 00000000.00000003.339726935.0000000005C2B000.00000004.00000001.sdmpfalse
                              		high
                              http://www.tiro.comHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000003.340397452.0000000005C2B000.00000004.00000001.sdmpfalse
                                		high
                                http://www.founder.cHT210525 IV Quotation.exe, 00000000.00000003.334510475.0000000005C46000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deFr(HT210525 IV Quotation.exe, 00000000.00000003.341835039.0000000005C4C000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.goodfont.co.krHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comHT210525 IV Quotation.exe, 00000000.00000003.335492406.0000000005C4D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmHT210525 IV Quotation.exe, 00000000.00000003.343733436.0000000005C4C000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersK2HT210525 IV Quotation.exe, 00000000.00000003.341374586.0000000005C2B000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.galapagosdesign.com/DPleaseHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnt-pHT210525 IV Quotation.exe, 00000000.00000003.333982038.0000000005C46000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krnyHT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sandoll.co.krHT210525 IV Quotation.exe, 00000000.00000003.333167937.0000000005C4B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deHT210525 IV Quotation.exe, 00000000.00000003.338826050.0000000005C4B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.dewaHT210525 IV Quotation.exe, 00000000.00000003.338545084.0000000005C4B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHT210525 IV Quotation.exe, 00000000.00000002.442922182.0000000002A91000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sakkal.comHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipHT210525 IV Quotation.exe, 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers#2OcHT210525 IV Quotation.exe, 00000000.00000003.341632770.0000000005C2B000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krgHT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.tiro.comslntpHT210525 IV Quotation.exe, 00000000.00000003.335681000.0000000005C4D000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sandoll.co.kr=HT210525 IV Quotation.exe, 00000000.00000003.333167937.0000000005C4B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.urwpp.de#HT210525 IV Quotation.exe, 00000000.00000003.341835039.0000000005C4C000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0HT210525 IV Quotation.exe, 00000000.00000003.335108063.0000000005C2E000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.galapagosdesign.com/HT210525 IV Quotation.exe, 00000000.00000003.343375719.0000000005C4C000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://DynDns.comDynDNSRegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnuctHT210525 IV Quotation.exe, 00000000.00000003.333853304.0000000005C4E000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sandoll.co.kruHT210525 IV Quotation.exe, 00000000.00000003.333167937.0000000005C4B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comTCHT210525 IV Quotation.exe, 00000000.00000003.335492406.0000000005C4D000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlpHT210525 IV Quotation.exe, 00000000.00000003.341394504.0000000005C4C000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.como$HT210525 IV Quotation.exe, 00000000.00000002.442801605.0000000001147000.00000004.00000040.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.sandoll.co.krnHT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/ntHT210525 IV Quotation.exe, 00000000.00000003.333302020.0000000005C4C000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comaHT210525 IV Quotation.exe, 00000000.00000002.442801605.0000000001147000.00000004.00000040.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.come.comHT210525 IV Quotation.exe, 00000000.00000002.442801605.0000000001147000.00000004.00000040.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comlHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cna-daHT210525 IV Quotation.exe, 00000000.00000003.333988336.0000000005C4E000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/HT210525 IV Quotation.exe, 00000000.00000003.334541105.0000000005C4C000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000003.333367785.0000000005C4C000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cnHT210525 IV Quotation.exe, 00000000.00000003.334541105.0000000005C4C000.00000004.00000001.sdmp, HT210525 IV Quotation.exe, 00000000.00000003.334031759.0000000005C2C000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-jones.htmlHT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/cabarga.htmlHT210525 IV Quotation.exe, 00000000.00000003.341139830.0000000005C4B000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.monotype.HT210525 IV Quotation.exe, 00000000.00000003.344381296.0000000005C4C000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sandoll.co.krimHT210525 IV Quotation.exe, 00000000.00000003.333206126.0000000005C4C000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.zhongyicts.com.cno.HT210525 IV Quotation.exe, 00000000.00000003.335295630.0000000005C4D000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8HT210525 IV Quotation.exe, 00000000.00000002.451133492.0000000006F02000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/nHT210525 IV Quotation.exe, 00000000.00000003.338875299.0000000005C2B000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.tiro.comicHT210525 IV Quotation.exe, 00000000.00000003.335681000.0000000005C4D000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/HT210525 IV Quotation.exe, 00000000.00000003.338826050.0000000005C4B000.00000004.00000001.sdmpfalse
                                                          		high

                                                          Contacted IPs

                                                          No contacted IP infos

                                                          General Information

                                                          Joe Sandbox Version:32.0.0 Black Diamond
                                                          Analysis ID:433221
                                                          Start date:11.06.2021
                                                          Start time:13:23:21
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 9m 24s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:HT210525 IV Quotation.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:27
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.adwa.evad.winEXE@12/8@0/0
                                                          EGA Information:Failed
                                                          HDC Information:
                                                          • Successful, ratio: 1.6% (good quality ratio 1.1%)
                                                          • Quality average: 45.5%
                                                          • Quality standard deviation: 37.1%
                                                          HCA Information:
                                                          • Successful, ratio: 95%
                                                          • Number of executed functions: 91
                                                          • Number of non-executed functions: 13
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          13:25:17API Interceptor389x Sleep call for process: RegSvcs.exe modified
                                                          13:25:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NewApp C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                          13:25:38AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NewApp C:\Users\user\AppData\Roaming\NewApp\NewApp.exe

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASN

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          C:\Users\user\AppData\Roaming\NewApp\NewApp.exeBank_payment information.exeGet hashmaliciousBrowse
                                                            HT210525 IV Quotation.exeGet hashmaliciousBrowse
                                                              Proforma Invoice No. 14214.exeGet hashmaliciousBrowse
                                                                KCTC International Ltd.exeGet hashmaliciousBrowse
                                                                  NEW PO#70-02110-00739.exeGet hashmaliciousBrowse
                                                                    New quote.exeGet hashmaliciousBrowse
                                                                      Bank payment information.exeGet hashmaliciousBrowse
                                                                        MESCO TQZ24 QUOTE.exeGet hashmaliciousBrowse
                                                                          SWIFT Msg of USD 78,000.exeGet hashmaliciousBrowse
                                                                            OM PHOENIX TRADERS.exeGet hashmaliciousBrowse
                                                                              ORDER #2348478.exeGet hashmaliciousBrowse
                                                                                1029BA046DF67EE328AD9D21BFD1E6D31C5CEDC4D4EAD.exeGet hashmaliciousBrowse
                                                                                  Quotation 2000051165.exeGet hashmaliciousBrowse
                                                                                    IMG-20191224-WA0050.jpg.exeGet hashmaliciousBrowse
                                                                                      Note0093746573.exeGet hashmaliciousBrowse
                                                                                        RYJzamn1HwAEPyy.exeGet hashmaliciousBrowse
                                                                                          11.exeGet hashmaliciousBrowse
                                                                                            OM PHOENIX TRADERS.exeGet hashmaliciousBrowse
                                                                                              NEW Quotation.exeGet hashmaliciousBrowse
                                                                                                tB15iC3ImLK3MFX.exeGet hashmaliciousBrowse

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HT210525 IV Quotation.exe.log
                                                                                                  Process:C:\Users\user\Desktop\HT210525 IV Quotation.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1216
                                                                                                  Entropy (8bit):5.355304211458859
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                  MD5:B666A4404B132B2BF6C04FBF848EB948
                                                                                                  SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                                                                                  SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                                                                                  SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                                                                                  Malicious:true
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NewApp.exe.log
                                                                                                  Process:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:modified
                                                                                                  Size (bytes):142
                                                                                                  Entropy (8bit):5.090621108356562
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                                  MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                                  SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                                  SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                                  SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                                  Malicious:false
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                  C:\Users\user\AppData\Local\Temp\tmpCED.tmp
                                                                                                  Process:C:\Users\user\Desktop\HT210525 IV Quotation.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1658
                                                                                                  Entropy (8bit):5.16390772990795
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3oztn:cbha7JlNQV/rydbz9I3YODOLNdq3i
                                                                                                  MD5:407D163CED10E31402B2CADD4767DB34
                                                                                                  SHA1:31DCF29A9E58547B0E124FCE165B47E5DDF98DD4
                                                                                                  SHA-256:F44BF3B2B491CDD6F5E5C6D7F8DB4B7A9674CC0A4FC093E3BDC6D62174FC2F04
                                                                                                  SHA-512:7C13256812F14A6370D5B8C5ADEA0E24425BAE2944068B9C2ADC0597A4F40FA45211105FB40F9700C7E88628F4B69C330B9E5487802152BA4086697A19F0877B
                                                                                                  Malicious:true
                                                                                                  Reputation:low
                                                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                                                                  C:\Users\user\AppData\Roaming\KEehxxQTfXmag.exe
                                                                                                  Process:C:\Users\user\Desktop\HT210525 IV Quotation.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1129472
                                                                                                  Entropy (8bit):7.09477588573758
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:+Dv3KLaq4zaohfxhbyoHsCCRKumxfrvvdH0:2v3e34O+5pxsxRKumxfrt
                                                                                                  MD5:8EA3CB0D331F0A8414E5B2ECFCE3ABF3
                                                                                                  SHA1:4C690653287B4B783B46EC4991D71D81CA527DBC
                                                                                                  SHA-256:E2B3C7E7061E68AA31813371C589B7B0B11B12750FAB1CE87F5EA7CCA9740563
                                                                                                  SHA-512:04E819765B5D5D78B5834EA02226E4D3E4F65D9AE244C02D0F718DBBF65FCFED6839BA604B9F5E766A80E89004273923E70FBA0CE80B92DC5DE9D35CE37C6E83
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 59%
                                                                                                  Reputation:low
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0..<...........[... ...`....@.. ....................................@..................................[..K....`.......................`....................................................... ............... ..H............text....;... ...<.................. ..`.rsrc........`.......>..............@..@.reloc.......`.......:..............@..B.................[......H.......x...........r....................................................0..........(....(....*..0..U.......r...p. .M. .Q..a%...^E............a...............................8.....(.... ..C.+..,. .J..%+. .$.%&. ...Za+..(....(....r...p(....-. OF~u%+. .."'%&. ...,Za8g....r...p(....(....-. }.A.%+. ..%&. x\ADZa89...(..... .3[.8)..........s....(....%.(.....(.... .{/.8....r9..p(..... .'QZ ..9'a8.....r;..p(....(....,. ....%+. V...%&. ;+T.Za8....*....0...............(0...*..0..
                                                                                                  C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):45152
                                                                                                  Entropy (8bit):6.149629800481177
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                                  MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                                  SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                                  SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                                  SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: Bank_payment information.exe, Detection: malicious, Browse
                                                                                                  • Filename: HT210525 IV Quotation.exe, Detection: malicious, Browse
                                                                                                  • Filename: Proforma Invoice No. 14214.exe, Detection: malicious, Browse
                                                                                                  • Filename: KCTC International Ltd.exe, Detection: malicious, Browse
                                                                                                  • Filename: NEW PO#70-02110-00739.exe, Detection: malicious, Browse
                                                                                                  • Filename: New quote.exe, Detection: malicious, Browse
                                                                                                  • Filename: Bank payment information.exe, Detection: malicious, Browse
                                                                                                  • Filename: MESCO TQZ24 QUOTE.exe, Detection: malicious, Browse
                                                                                                  • Filename: SWIFT Msg of USD 78,000.exe, Detection: malicious, Browse
                                                                                                  • Filename: OM PHOENIX TRADERS.exe, Detection: malicious, Browse
                                                                                                  • Filename: ORDER #2348478.exe, Detection: malicious, Browse
                                                                                                  • Filename: 1029BA046DF67EE328AD9D21BFD1E6D31C5CEDC4D4EAD.exe, Detection: malicious, Browse
                                                                                                  • Filename: Quotation 2000051165.exe, Detection: malicious, Browse
                                                                                                  • Filename: IMG-20191224-WA0050.jpg.exe, Detection: malicious, Browse
                                                                                                  • Filename: Note0093746573.exe, Detection: malicious, Browse
                                                                                                  • Filename: RYJzamn1HwAEPyy.exe, Detection: malicious, Browse
                                                                                                  • Filename: 11.exe, Detection: malicious, Browse
                                                                                                  • Filename: OM PHOENIX TRADERS.exe, Detection: malicious, Browse
                                                                                                  • Filename: NEW Quotation.exe, Detection: malicious, Browse
                                                                                                  • Filename: tB15iC3ImLK3MFX.exe, Detection: malicious, Browse
                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                                                  C:\Windows\System32\drivers\etc\hosts
                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:modified
                                                                                                  Size (bytes):11
                                                                                                  Entropy (8bit):2.663532754804255
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:iLE:iLE
                                                                                                  MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                                                  SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                                                  SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                                                  SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                                                  Malicious:true
                                                                                                  Preview: ..127.0.0.1
                                                                                                  \Device\ConDrv
                                                                                                  Process:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1141
                                                                                                  Entropy (8bit):4.44831826838854
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                                  MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                                  SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                                  SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                                  SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                                  Malicious:false
                                                                                                  Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Entropy (8bit):7.09477588573758
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                  File name:HT210525 IV Quotation.exe
                                                                                                  File size:1129472
                                                                                                  MD5:8ea3cb0d331f0a8414e5b2ecfce3abf3
                                                                                                  SHA1:4c690653287b4b783b46ec4991d71d81ca527dbc
                                                                                                  SHA256:e2b3c7e7061e68aa31813371c589b7b0b11b12750fab1ce87f5ea7cca9740563
                                                                                                  SHA512:04e819765b5d5d78b5834ea02226e4d3e4f65d9ae244c02d0f718dbbf65fcfed6839ba604b9f5e766a80e89004273923e70fba0ce80b92dc5de9d35ce37c6e83
                                                                                                  SSDEEP:24576:+Dv3KLaq4zaohfxhbyoHsCCRKumxfrvvdH0:2v3e34O+5pxsxRKumxfrt
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0..<...........[... ...`....@.. ....................................@................................

                                                                                                  File Icon

                                                                                                  Icon Hash:929296929e9e8eb2

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x4e5bce
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                  Time Stamp:0x60C1FEA2 [Thu Jun 10 11:59:30 2021 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  jmp dword ptr [00402000h]
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xe5b800x4b.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe60000x2fbe8.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1160000xc.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x20000xe3bd40xe3c00False0.665810879185data7.09066912036IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0xe60000x2fbe80x2fc00False0.364002167866data6.27676522509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0x1160000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                  RT_ICON0xe62b00x709ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                  RT_ICON0xed3500x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 318767104, next used block 117440512
                                                                                                  RT_ICON0xfdb780x94a8data
                                                                                                  RT_ICON0x1070200x5488data
                                                                                                  RT_ICON0x10c4a80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 224, next used block 117440512
                                                                                                  RT_ICON0x1106d00x25a8data
                                                                                                  RT_ICON0x112c780x10a8data
                                                                                                  RT_ICON0x113d200x988data
                                                                                                  RT_ICON0x1146a80x468GLS_BINARY_LSB_FIRST
                                                                                                  RT_GROUP_ICON0x114b100x84data
                                                                                                  RT_VERSION0x114b940x32cdata
                                                                                                  RT_MANIFEST0x114ec00xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  mscoree.dll_CorExeMain

                                                                                                  Version Infos

                                                                                                  DescriptionData
                                                                                                  Translation0x0000 0x04b0
                                                                                                  LegalCopyrightCopyright 2017 - 2021
                                                                                                  Assembly Version1.0.0.0
                                                                                                  InternalNameeNX0.exe
                                                                                                  FileVersion1.0.0.0
                                                                                                  CompanyName
                                                                                                  LegalTrademarks
                                                                                                  Comments
                                                                                                  ProductNamePharmacy POS
                                                                                                  ProductVersion1.0.0.0
                                                                                                  FileDescriptionPharmacy POS
                                                                                                  OriginalFilenameeNX0.exe

                                                                                                  Network Behavior

                                                                                                  No network behavior found

                                                                                                  Code Manipulations

                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  Analysis Process: HT210525 IV Quotation.exe PID: 6688 Parent PID: 6040

                                                                                                  General

                                                                                                  Start time:13:24:14
                                                                                                  Start date:11/06/2021
                                                                                                  Path:C:\Users\user\Desktop\HT210525 IV Quotation.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user\Desktop\HT210525 IV Quotation.exe'
                                                                                                  Imagebase:0x540000
                                                                                                  File size:1129472 bytes
                                                                                                  MD5 hash:8EA3CB0D331F0A8414E5B2ECFCE3ABF3
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.446010791.0000000003AEA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  Reputation:low

                                                                                                  Chronological Activities

                                                                                                  Analysis Process: schtasks.exe PID: 6588 Parent PID: 6688

                                                                                                  General

                                                                                                  Start time:13:25:05
                                                                                                  Start date:11/06/2021
                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KEehxxQTfXmag' /XML 'C:\Users\user\AppData\Local\Temp\tmpCED.tmp'
                                                                                                  Imagebase:0x1320000
                                                                                                  File size:185856 bytes
                                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  Chronological Activities

                                                                                                  Analysis Process: conhost.exe PID: 6576 Parent PID: 6588

                                                                                                  General

                                                                                                  Start time:13:25:06
                                                                                                  Start date:11/06/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff61de10000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  Chronological Activities

                                                                                                  Analysis Process: RegSvcs.exe PID: 6684 Parent PID: 6688

                                                                                                  General

                                                                                                  Start time:13:25:06
                                                                                                  Start date:11/06/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:{path}
                                                                                                  Imagebase:0x400000
                                                                                                  File size:45152 bytes
                                                                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  Chronological Activities

                                                                                                  Analysis Process: RegSvcs.exe PID: 6676 Parent PID: 6688

                                                                                                  General

                                                                                                  Start time:13:25:07
                                                                                                  Start date:11/06/2021
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:{path}
                                                                                                  Imagebase:0x960000
                                                                                                  File size:45152 bytes
                                                                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000002.595401687.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.440537158.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000000.440537158.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.597350034.0000000002C81000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                  Reputation:high

                                                                                                  Chronological Activities

                                                                                                  Analysis Process: NewApp.exe PID: 6868 Parent PID: 3440

                                                                                                  General

                                                                                                  Start time:13:25:38
                                                                                                  Start date:11/06/2021
                                                                                                  Path:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                                                                                                  Imagebase:0xd20000
                                                                                                  File size:45152 bytes
                                                                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 0%, Metadefender, Browse
                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                  Reputation:high

                                                                                                  Chronological Activities

                                                                                                  Analysis Process: conhost.exe PID: 3500 Parent PID: 6868

                                                                                                  General

                                                                                                  Start time:13:25:38
                                                                                                  Start date:11/06/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff61de10000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  Chronological Activities

                                                                                                  Analysis Process: NewApp.exe PID: 5396 Parent PID: 3440

                                                                                                  General

                                                                                                  Start time:13:25:46
                                                                                                  Start date:11/06/2021
                                                                                                  Path:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                                                                                                  Imagebase:0x6c0000
                                                                                                  File size:45152 bytes
                                                                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Reputation:high

                                                                                                  Chronological Activities

                                                                                                  Analysis Process: conhost.exe PID: 5472 Parent PID: 5396

                                                                                                  General

                                                                                                  Start time:13:25:46
                                                                                                  Start date:11/06/2021
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff61de10000
                                                                                                  File size:625664 bytes
                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  Chronological Activities

                                                                                                  Disassembly

                                                                                                  Code Analysis

                                                                                                  Reset < >

                                                                                                    Analysis Process: HT210525 IV Quotation.exe PID: 6688 Parent PID: 6040 HT210525 IV Quotation.exeCOMMON

                                                                                                    Executed Functions

                                                                                                    Function 00DC2C78, Relevance: 3.9, Strings: 3, Instructions: 158COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: OF~u$OF~u$+5
                                                                                                    • API String ID: 0-1631271584
                                                                                                    • Opcode ID: 9fc2a5a0d8def5840a38c0b39d23e9e86943ec96eb01def490fc2caf13c5e0d0
                                                                                                    • Instruction ID: 8ab9bd5e0d3401d6d0245eab79663aaf3f75dbf5f10c70194446f23219c8fbaf
                                                                                                    • Opcode Fuzzy Hash: 9fc2a5a0d8def5840a38c0b39d23e9e86943ec96eb01def490fc2caf13c5e0d0
                                                                                                    • Instruction Fuzzy Hash: AE710274D04209EFCB04DFE5E984AAEBBB1FB8A301F20856AD412B7364DB745A41CF65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA0EB0, Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: H]J$e<u
                                                                                                    • API String ID: 0-959102240
                                                                                                    • Opcode ID: b3b2d3ee34865c2f632fd804bd4dd0f282757653d8a0be9a9cc1cc5931a23e9b
                                                                                                    • Instruction ID: f7058778ae0be6ee8e27de98ed5869d5d6c39d0d3c2d9c84485033c594b2c4da
                                                                                                    • Opcode Fuzzy Hash: b3b2d3ee34865c2f632fd804bd4dd0f282757653d8a0be9a9cc1cc5931a23e9b
                                                                                                    • Instruction Fuzzy Hash: AB715B71E1422ACBDB28CF66CC447DEB7B2AF89300F14C6EAD50DA7654EB305A959F40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA115C, Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: H]J$nK78
                                                                                                    • API String ID: 0-3576724347
                                                                                                    • Opcode ID: e85b252c7f660dd590578f829d2102193bfe8986a7f70f99214345cb68eaed58
                                                                                                    • Instruction ID: bbcbb27e308c6efa33c78d84d51bc43350d8f0e1a9b3d7feb4c50c952869d6b1
                                                                                                    • Opcode Fuzzy Hash: e85b252c7f660dd590578f829d2102193bfe8986a7f70f99214345cb68eaed58
                                                                                                    • Instruction Fuzzy Hash: 2D513671E5422ACBCB64CF64C884BD9B7B2BF99300F1486E6D509A7654EB70AAC1CF00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC33A0, Relevance: 1.6, APIs: 1, Instructions: 104nativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00DC345D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: InformationProcessQuery
                                                                                                    • String ID:
                                                                                                    • API String ID: 1778838933-0
                                                                                                    • Opcode ID: 6bcef2dac6702577a9860b0ece2f867c43c18e5165a6f318b8cfc2f7c26620a9
                                                                                                    • Instruction ID: 1e6ee4e34c400d0397db6f4ada84c8ab25f03798342fd4cf995290b737ba0a10
                                                                                                    • Opcode Fuzzy Hash: 6bcef2dac6702577a9860b0ece2f867c43c18e5165a6f318b8cfc2f7c26620a9
                                                                                                    • Instruction Fuzzy Hash: 734175B8D042589FCF10CFAAD984ADEFBB1BB19310F10902AE819B7310D375A906CF65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC01A4, Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00DC345D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: InformationProcessQuery
                                                                                                    • String ID:
                                                                                                    • API String ID: 1778838933-0
                                                                                                    • Opcode ID: fb003885cac6edf5b3818e63e7b54ee3c9e954671eadef6ba6f79df12f997944
                                                                                                    • Instruction ID: 2db2e8945b0f84d725e02d5c5b3f993b8cb686f707514a3bc03d8505cf3fcb53
                                                                                                    • Opcode Fuzzy Hash: fb003885cac6edf5b3818e63e7b54ee3c9e954671eadef6ba6f79df12f997944
                                                                                                    • Instruction Fuzzy Hash: 894175B8D042589FCF10CFAAD984ADEFBB5BB19310F10902AE818B7310D775A906CF65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA2BF0, Relevance: 1.6, APIs: 1, Instructions: 77nativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • NtUnmapViewOfSection.NTDLL(?,?), ref: 04AA2C84
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: SectionUnmapView
                                                                                                    • String ID:
                                                                                                    • API String ID: 498011366-0
                                                                                                    • Opcode ID: d1ac5755ac8c303668ce0f02f6166c04f0e11a64068baae3fa625f475c0b515e
                                                                                                    • Instruction ID: f71ff6cae879cc5390b6c8afc531f8bdf250b0c3f4671eed427355dab81e73d2
                                                                                                    • Opcode Fuzzy Hash: d1ac5755ac8c303668ce0f02f6166c04f0e11a64068baae3fa625f475c0b515e
                                                                                                    • Instruction Fuzzy Hash: C03198B9D012189FCB10CFA9E984ADEFBF1BB09324F24955AE818B7310D334A9458F65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA2BF8, Relevance: 1.6, APIs: 1, Instructions: 76nativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • NtUnmapViewOfSection.NTDLL(?,?), ref: 04AA2C84
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: SectionUnmapView
                                                                                                    • String ID:
                                                                                                    • API String ID: 498011366-0
                                                                                                    • Opcode ID: 66c5e9e44403ce659f0b010dc727a6c45a40c60afd966ef6e2f5fe83fc1649a8
                                                                                                    • Instruction ID: 3e334d919756715fedfc6b89a505fbe2c68aa6f72ea6d74e3eaf425c046cb833
                                                                                                    • Opcode Fuzzy Hash: 66c5e9e44403ce659f0b010dc727a6c45a40c60afd966ef6e2f5fe83fc1649a8
                                                                                                    • Instruction Fuzzy Hash: BC3198B9D012189FCB10CFA9E984ADEFBF5BB49314F10905AE818B7300D734A905CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC36C8, Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: ChangeCloseDebugFindNotificationOutputString
                                                                                                    • String ID: +5
                                                                                                    • API String ID: 1246255373-3304238550
                                                                                                    • Opcode ID: e02172bdeec05cdbe145dddcc921ef80ee9539fdd1557dbd892f76deae8fdcf4
                                                                                                    • Instruction ID: 1c2c6cfeb96147ced85ab2251879b9ccaa5cd8f37b013ce17b6e6b12859f30a4
                                                                                                    • Opcode Fuzzy Hash: e02172bdeec05cdbe145dddcc921ef80ee9539fdd1557dbd892f76deae8fdcf4
                                                                                                    • Instruction Fuzzy Hash: 7BB145B4D04259CFDB18DFA4D984B9DBBB2FB89301F20852DD04AAB365DB749A41CF20
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC36B8, Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: +5
                                                                                                    • API String ID: 0-3304238550
                                                                                                    • Opcode ID: 2ae645669caaff209b5908aab5ce68f9077685a5018bd0165f49671c69245f48
                                                                                                    • Instruction ID: ab2d4ea8f38f3ac767e5c586b4c317f3cd82d4b2c87e177719b50f01b35811f5
                                                                                                    • Opcode Fuzzy Hash: 2ae645669caaff209b5908aab5ce68f9077685a5018bd0165f49671c69245f48
                                                                                                    • Instruction Fuzzy Hash: 83B144B4D04259CFDB18DFA4D984B9DBBB2FB89300F20852ED44AE7295DB749A41CF20
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA0EA1, Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: H]J
                                                                                                    • API String ID: 0-3949961615
                                                                                                    • Opcode ID: 5c5bbb38d6db079380b10f09f359f46ce46993a375e97ac05937710e11e46f64
                                                                                                    • Instruction ID: f33b2bafaf77391aae5eb63215ced3aa8b741f5fdf50c99747dc6e113a61b622
                                                                                                    • Opcode Fuzzy Hash: 5c5bbb38d6db079380b10f09f359f46ce46993a375e97ac05937710e11e46f64
                                                                                                    • Instruction Fuzzy Hash: 4F514B71E1462A8BDB68CF66CC447DAB7B2AFC8300F14C6EAD509A7654EB705A81CF40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA10EC, Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: H]J
                                                                                                    • API String ID: 0-3949961615
                                                                                                    • Opcode ID: 73d4f11ef2b6328ce9018b09629f4be227631a4b274c765e5708f30f36c8a22f
                                                                                                    • Instruction ID: 622559aaa7acab68e6d1d1a8403dadd7b9b93aa6d8eca71376fe5e927a1131d1
                                                                                                    • Opcode Fuzzy Hash: 73d4f11ef2b6328ce9018b09629f4be227631a4b274c765e5708f30f36c8a22f
                                                                                                    • Instruction Fuzzy Hash: 6D415871E5422ACBCB68CF65CC84BD9B7B2BF99300F1486E69509A7650EB706AC1CF00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA1140, Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: H]J
                                                                                                    • API String ID: 0-3949961615
                                                                                                    • Opcode ID: 0393c66b23df63959b95a07c38c0bcbd2807ff7cbc1f693930298c7888976141
                                                                                                    • Instruction ID: abb633d5f7fdc71cb34ae93a2eb38e9be42e17c791085a14b2473767b1e0dc38
                                                                                                    • Opcode Fuzzy Hash: 0393c66b23df63959b95a07c38c0bcbd2807ff7cbc1f693930298c7888976141
                                                                                                    • Instruction Fuzzy Hash: F1415A71E5422ACBCB68CF65CC84BD9B7B2BF99300F1486E6D509A7650EB705AC0CF00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0570EC48, Relevance: .2, Instructions: 192COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448070861.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7ddb183220acb4bcb01c28c6fa635e3f104a83803277ef44344bdff0ec416a5c
                                                                                                    • Instruction ID: 2ae44eed04d66bf061014a6635f52ec3eb7e71fa500228c84bcb99c5bebde535
                                                                                                    • Opcode Fuzzy Hash: 7ddb183220acb4bcb01c28c6fa635e3f104a83803277ef44344bdff0ec416a5c
                                                                                                    • Instruction Fuzzy Hash: 06810274E11219DFCB04CFE9D8455AEBBB2FF89310F24992AE816AB354EB349901CF54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC3170, Relevance: .1, Instructions: 130COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5bf41d01a77b28b6300c05583eb820768a26a73db791636a8244a4348e5cd61e
                                                                                                    • Instruction ID: 9abf4464c1ea9405b86122b213a6ad980320a6ada120f57a61f586aebc522ecc
                                                                                                    • Opcode Fuzzy Hash: 5bf41d01a77b28b6300c05583eb820768a26a73db791636a8244a4348e5cd61e
                                                                                                    • Instruction Fuzzy Hash: 8851F370E10759DBCB14CFE9C840A9DFBB6FF89300F24862AD419A7214DB70AA42CF64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC3161, Relevance: .1, Instructions: 128COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4710b18023e3f88207139be654348a01b5fffd8e47fd86ca881633400573f489
                                                                                                    • Instruction ID: f19155a93d9ad5638a4da034e716ea9537ae1a1426b51ec39fd1907ee897d16f
                                                                                                    • Opcode Fuzzy Hash: 4710b18023e3f88207139be654348a01b5fffd8e47fd86ca881633400573f489
                                                                                                    • Instruction Fuzzy Hash: 5451F274E1075ADBCB14DFA9C94069DFBB2FF89300F24862AD419A7214DB70AA46CF60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC7B19, Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 51a4b8b941f95ef7626d944e9394111d5fc8f60dfffa3bbf57f22a577f427532
                                                                                                    • Instruction ID: 078fcecfd9ce8ef7397ca52e109df717b514dfc40917bdc4cf5b9d441b6e1c84
                                                                                                    • Opcode Fuzzy Hash: 51a4b8b941f95ef7626d944e9394111d5fc8f60dfffa3bbf57f22a577f427532
                                                                                                    • Instruction Fuzzy Hash: F4213070A09209DFCB44DFE5D64599EBBB2EB89300F24D5A9D40AE7264DB748E05CF24
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DCFDC8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00DCFE28
                                                                                                    • GetCurrentThread.KERNEL32 ref: 00DCFE65
                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00DCFEA2
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00DCFEFB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: Current$ProcessThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2063062207-0
                                                                                                    • Opcode ID: 5c9327089b96711f043d3e66aab569b314c445edc705e66a893b3729d27cd55a
                                                                                                    • Instruction ID: 1e4a541fb69800e86b15f9904ea55cf11e192190eebebc4d44490978ef2a6b14
                                                                                                    • Opcode Fuzzy Hash: 5c9327089b96711f043d3e66aab569b314c445edc705e66a893b3729d27cd55a
                                                                                                    • Instruction Fuzzy Hash: 395175B09006498FDB28CFAAD548BEEBBF1EF48304F24846DE019A73A0D7745984CF65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA255C, Relevance: 1.7, APIs: 1, Instructions: 226processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04AA2744
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: CreateProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 963392458-0
                                                                                                    • Opcode ID: ee1c0752298c874f1c5bce0c6de2b19095f2f8bd3585047e08ec0c5fcf452009
                                                                                                    • Instruction ID: ed0eb9a6ff7b743e2516b6ae6839b05941fc642f9abf136d677aa7caace10baa
                                                                                                    • Opcode Fuzzy Hash: ee1c0752298c874f1c5bce0c6de2b19095f2f8bd3585047e08ec0c5fcf452009
                                                                                                    • Instruction Fuzzy Hash: 1281DF75C00229DFDB20CFA8C880BDDBBB5BB09304F0495AAE508B7250DB30AE95CF55
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA2568, Relevance: 1.7, APIs: 1, Instructions: 222processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04AA2744
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: CreateProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 963392458-0
                                                                                                    • Opcode ID: d5e073b4eb5bd9ec3a5e89a99c103af363568710b2458032344de83fcdba6c89
                                                                                                    • Instruction ID: 6eed96eb5d27674d664dcdc58fd18bc12ee93d85c4991836fdf7a071d34703e9
                                                                                                    • Opcode Fuzzy Hash: d5e073b4eb5bd9ec3a5e89a99c103af363568710b2458032344de83fcdba6c89
                                                                                                    • Instruction Fuzzy Hash: BF81CE75D00269DFDB20CFA9C880BDDBBB5AB09304F0495AAE509B7260DB30AE95CF55
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC7FC4, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 00DC9549
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: Create
                                                                                                    • String ID:
                                                                                                    • API String ID: 2289755597-0
                                                                                                    • Opcode ID: d9a6e87ed13a351742b25613a65f918b8800d28ac17956035adb70fa663105fb
                                                                                                    • Instruction ID: 4325d0ee77f751dd2cfa651b2ee8daace9463e8432e19f22f1cc48d4e2cd7afc
                                                                                                    • Opcode Fuzzy Hash: d9a6e87ed13a351742b25613a65f918b8800d28ac17956035adb70fa663105fb
                                                                                                    • Instruction Fuzzy Hash: 8251D371D0422C8FDB60DFA8C884BCEBBB5BF45304F1084AAD549AB251DB716E89CF91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA2F08, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04AA2FDE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3559483778-0
                                                                                                    • Opcode ID: 3fae45ccef73f6fe2357e5fb693ad758510cabf8d33b88874dbe12b3cfe2bd88
                                                                                                    • Instruction ID: 4d1319d80c996abea59a719d07cff2caea2d1d3d2759c8ff0926897271af933c
                                                                                                    • Opcode Fuzzy Hash: 3fae45ccef73f6fe2357e5fb693ad758510cabf8d33b88874dbe12b3cfe2bd88
                                                                                                    • Instruction Fuzzy Hash: 904175B5D002589FCB00CFA9D984AEEFBF1BB49314F24902AE818B7350D335AA55CB64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA2F01, Relevance: 1.6, APIs: 1, Instructions: 111injectionCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04AA2FDE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3559483778-0
                                                                                                    • Opcode ID: 5789395255d634a9c34cdf67eed3761893864ce4b558d8dc8735996cccc66b61
                                                                                                    • Instruction ID: d69328f9a896280fe56f83649f34817c9a41282971fb91b4aa41696689e67e7c
                                                                                                    • Opcode Fuzzy Hash: 5789395255d634a9c34cdf67eed3761893864ce4b558d8dc8735996cccc66b61
                                                                                                    • Instruction Fuzzy Hash: ED4157B5D002589FCF00CFA9D984ADEFBF1BB19314F24906AE818B7250D735AA55CF54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA2AD0, Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04AA2B8D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 1726664587-0
                                                                                                    • Opcode ID: d4e8bfeb1989a017e3c92ffcf8ee621538e50d8d60b9fe03b0b76c73e4c9385a
                                                                                                    • Instruction ID: b3410377a2bbb08010c0de7f8d7973562e4d0dd4f016a1eaa74f43eb8c23825b
                                                                                                    • Opcode Fuzzy Hash: d4e8bfeb1989a017e3c92ffcf8ee621538e50d8d60b9fe03b0b76c73e4c9385a
                                                                                                    • Instruction Fuzzy Hash: D74197B9D042589FCF10CFAAD984ADEFBB1BB19310F14906AE814B7310D734AA55CF65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA2AD8, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04AA2B8D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 1726664587-0
                                                                                                    • Opcode ID: 76a41f38cdc6126bd4ef1f9052cd402d824f473aa60eb2f13155f5cbbb95ff3f
                                                                                                    • Instruction ID: 391e81b2692e09a1f54726db85dfc7945fd994836805fe61e7e2c5fd3af6637e
                                                                                                    • Opcode Fuzzy Hash: 76a41f38cdc6126bd4ef1f9052cd402d824f473aa60eb2f13155f5cbbb95ff3f
                                                                                                    • Instruction Fuzzy Hash: E04178B9D042589FCF10CFAAD984ADEFBB5BB19310F10906AE814B7310D335A955CF65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA2CD8, Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04AA2D8D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 2ec8956f5b6181d376c8653e9347b65cc6e5f229d47601673a9ccf7357feedd6
                                                                                                    • Instruction ID: 9c5ddb8ce0962121411db1a051c31d6d5a7a6b491ec294f25c191c8be7cb3e64
                                                                                                    • Opcode Fuzzy Hash: 2ec8956f5b6181d376c8653e9347b65cc6e5f229d47601673a9ccf7357feedd6
                                                                                                    • Instruction Fuzzy Hash: 323175B9D042589FCF10CFA9D984ADEFBB1BB09310F10902AE814B7310D734A956CF65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA2CE0, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04AA2D8D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 59d6c7cc947ebde061fcd279b907690fd164bf69cfba34cdb27b6a01c99a8879
                                                                                                    • Instruction ID: 9d48ea192e138988da5b9877ba43abd1a94e37b7400fd2630722472ebf7f9e20
                                                                                                    • Opcode Fuzzy Hash: 59d6c7cc947ebde061fcd279b907690fd164bf69cfba34cdb27b6a01c99a8879
                                                                                                    • Instruction Fuzzy Hash: 9C3184B9D002589FCF10CFA9D984ADEFBB5BB09310F10A02AE818B7310D734A915CF65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DCCCE0, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryExW.KERNELBASE(?,?,?), ref: 00DCDF22
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID:
                                                                                                    • API String ID: 1029625771-0
                                                                                                    • Opcode ID: 937a90794c88c26de5009cc39cf60c7323337d6d43f72953d29ddda66cf92f3a
                                                                                                    • Instruction ID: a9ff6fdf8b83767abde7f68f4e3724259942bed4b9928a85c7ba4991c26fd1a0
                                                                                                    • Opcode Fuzzy Hash: 937a90794c88c26de5009cc39cf60c7323337d6d43f72953d29ddda66cf92f3a
                                                                                                    • Instruction Fuzzy Hash: 614198B4D042599FCF10CFA9D884AAEFBF5BB59310F14902AE855BB310D374A945CFA4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC2B28, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00DC2BD7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: ProtectVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 544645111-0
                                                                                                    • Opcode ID: 9b68ea45d359172fa2d6da352db72db8f9fcb801bb3a424e215678d1da65908c
                                                                                                    • Instruction ID: 63935b47f305003aab41e5c9d7f9e39ee2d398a8648c9485755b62414dac73b5
                                                                                                    • Opcode Fuzzy Hash: 9b68ea45d359172fa2d6da352db72db8f9fcb801bb3a424e215678d1da65908c
                                                                                                    • Instruction Fuzzy Hash: F33199B9D042589FCF10CFA9D984AEEFBB1BB19310F14902AE854B7314D774A985CF64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC2B30, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00DC2BD7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: ProtectVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 544645111-0
                                                                                                    • Opcode ID: 581da6cd571dc9c90f714bb915b93b892fdbe044c2665291252d40557462b518
                                                                                                    • Instruction ID: c546796ab7959848f9a457eb1c3a48bbeec4a4c5b0e6c25f228eb424fc4ca59c
                                                                                                    • Opcode Fuzzy Hash: 581da6cd571dc9c90f714bb915b93b892fdbe044c2665291252d40557462b518
                                                                                                    • Instruction Fuzzy Hash: 7A3197B9D042589FCB10CFA9D984AEEFBB1AB09310F14902AE814B7310D774A945CF64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA29B9, Relevance: 1.6, APIs: 1, Instructions: 93threadinjectionCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetThreadContext.KERNELBASE(?,?), ref: 04AA2A72
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: ContextThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 1591575202-0
                                                                                                    • Opcode ID: e924136ed2960e69ebc932d0918ad85de8b6bb871444a49f0f78cad0608a7205
                                                                                                    • Instruction ID: cb0c785d9c96eb5d158cea0406452a43cb76300f99692443eea3da21db545d35
                                                                                                    • Opcode Fuzzy Hash: e924136ed2960e69ebc932d0918ad85de8b6bb871444a49f0f78cad0608a7205
                                                                                                    • Instruction Fuzzy Hash: 6B41B8B5D012589FCB10CFAAD984ADEFBF1BB08314F24806AE418B7310D738AA55CF54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC3E41, Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OutputDebugStringW.KERNELBASE(?), ref: 00DC3F2A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: DebugOutputString
                                                                                                    • String ID:
                                                                                                    • API String ID: 1166629820-0
                                                                                                    • Opcode ID: 6db5f4e86a69e0348c4909f46b2bdbd74253d6b1f663cbf937bd21d42d3d94a3
                                                                                                    • Instruction ID: 29a1a680c342f5c41ec6ad26632c0cc6a785cb359299369955f536d972f709b3
                                                                                                    • Opcode Fuzzy Hash: 6db5f4e86a69e0348c4909f46b2bdbd74253d6b1f663cbf937bd21d42d3d94a3
                                                                                                    • Instruction Fuzzy Hash: FC41DBB4D052499FCB00CFA9E484ADDFBF1AF09314F1480AAE818B7360D375AA46CF65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA29C0, Relevance: 1.6, APIs: 1, Instructions: 90threadinjectionCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetThreadContext.KERNELBASE(?,?), ref: 04AA2A72
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: ContextThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 1591575202-0
                                                                                                    • Opcode ID: 2380464a47eb86a18710c1c272850e8bf1c6a9e56ccc1901000473598eed5a17
                                                                                                    • Instruction ID: 1e5923d5f3bf0d8c8a1a8e731cb3227931cd6727ca3366cb659192f08ca9c724
                                                                                                    • Opcode Fuzzy Hash: 2380464a47eb86a18710c1c272850e8bf1c6a9e56ccc1901000473598eed5a17
                                                                                                    • Instruction Fuzzy Hash: 8831A8B5D012589FCB10CFAAD984AEEFBF1BB49314F14806AE418B7310D738AA45CF64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA34DA, Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 04AA357B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: MessagePost
                                                                                                    • String ID:
                                                                                                    • API String ID: 410705778-0
                                                                                                    • Opcode ID: e58e79eed3091b73f57a257e9067e8f5197446229fbadaf317f80b3f08977ad6
                                                                                                    • Instruction ID: af66075b2fc824b582f2995f08c01bf1310238104d310e194365e3bc0b68ba8d
                                                                                                    • Opcode Fuzzy Hash: e58e79eed3091b73f57a257e9067e8f5197446229fbadaf317f80b3f08977ad6
                                                                                                    • Instruction Fuzzy Hash: B33176B9E002589FCF10CFA9D584ADEFBF1AB09314F14942AE819BB310D335A9458FA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA34E0, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 04AA357B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: MessagePost
                                                                                                    • String ID:
                                                                                                    • API String ID: 410705778-0
                                                                                                    • Opcode ID: 2189a933c3a3e2158ac3d2f122cde963fbe33492805aa8fea0abce284b5f91d4
                                                                                                    • Instruction ID: a323b9f9ec259733d9f8b270dd4cf429fc447f6b619a0c57b658a959011ce04e
                                                                                                    • Opcode Fuzzy Hash: 2189a933c3a3e2158ac3d2f122cde963fbe33492805aa8fea0abce284b5f91d4
                                                                                                    • Instruction Fuzzy Hash: 7A3176B9D00258AFCF10CFA9D584ADEFBF4AB49310F14902AE819BB310D375A945CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC3E88, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OutputDebugStringW.KERNELBASE(?), ref: 00DC3F2A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: DebugOutputString
                                                                                                    • String ID:
                                                                                                    • API String ID: 1166629820-0
                                                                                                    • Opcode ID: cf50478fffb7d4ccc05814ceb8b23abb0b3ab79918e312b2c552f62a0b47e218
                                                                                                    • Instruction ID: 5a34de1601b27e0f93b021ddf3c93593f1d0094ec3a7b6d585e23fdfd3fbbb72
                                                                                                    • Opcode Fuzzy Hash: cf50478fffb7d4ccc05814ceb8b23abb0b3ab79918e312b2c552f62a0b47e218
                                                                                                    • Instruction Fuzzy Hash: 9131BAB4D002499FCB14CFA9D584AEEFBF1AF49314F14906AE818B7320D774AA45CF64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC01E0, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OutputDebugStringW.KERNELBASE(?), ref: 00DC3F2A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: DebugOutputString
                                                                                                    • String ID:
                                                                                                    • API String ID: 1166629820-0
                                                                                                    • Opcode ID: 5e0aa0de6db2ca803d390038791cdf4bef9ae776d674453d6c76427f2c8397d8
                                                                                                    • Instruction ID: 7911f09d1fc2a99a97299eb958f4f3d775533f783503256274408fc896dbb5f4
                                                                                                    • Opcode Fuzzy Hash: 5e0aa0de6db2ca803d390038791cdf4bef9ae776d674453d6c76427f2c8397d8
                                                                                                    • Instruction Fuzzy Hash: EB31CAB4D042499FCB10CFAAD484ADEFBF5AF49314F14806AE818B7320D774AA45CFA4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DCDB68, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNELBASE(?), ref: 00DCDBFA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule
                                                                                                    • String ID:
                                                                                                    • API String ID: 4139908857-0
                                                                                                    • Opcode ID: af2de3f623d2885c9da5ac6594cf266901bb6d3278822c84570831b84594a300
                                                                                                    • Instruction ID: 896681667445af0db890a36310920b2a14d27de5c37fdaecead7d220bf8e7236
                                                                                                    • Opcode Fuzzy Hash: af2de3f623d2885c9da5ac6594cf266901bb6d3278822c84570831b84594a300
                                                                                                    • Instruction Fuzzy Hash: F731AAB4D002599FCB14CFAAD984ADEFBF5AB49314F14902AE814B7310D374A945CF65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC01F8, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00DC4006
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: ChangeCloseFindNotification
                                                                                                    • String ID:
                                                                                                    • API String ID: 2591292051-0
                                                                                                    • Opcode ID: 69c699594be308a4e07c81b0d84262a13edd4f707c51cfe326c149ffaa4ac637
                                                                                                    • Instruction ID: 5cd4f6576371f04287fdbddb67d69a5a51de0c24ddf99da02fd81564d5d32689
                                                                                                    • Opcode Fuzzy Hash: 69c699594be308a4e07c81b0d84262a13edd4f707c51cfe326c149ffaa4ac637
                                                                                                    • Instruction Fuzzy Hash: 5F31EAB4D042189FCB10CFA9D488AEEFBF4AF09324F14902AE915B7301D334A945CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC3F80, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00DC4006
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: ChangeCloseFindNotification
                                                                                                    • String ID:
                                                                                                    • API String ID: 2591292051-0
                                                                                                    • Opcode ID: 42a354c209100ec4eb62ab4004686e94ae73e07fe2dbedec1755da700ee8a4f0
                                                                                                    • Instruction ID: bd70b0f7e8735bcb923581f5843a149338279a84317fae698b0f6c49982cb5af
                                                                                                    • Opcode Fuzzy Hash: 42a354c209100ec4eb62ab4004686e94ae73e07fe2dbedec1755da700ee8a4f0
                                                                                                    • Instruction Fuzzy Hash: 5431CAB5D042189FCB10CFA9D488AEEFBF4BB09324F14905AE954B7310C779A945CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA3128, Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ResumeThread.KERNELBASE(?), ref: 04AA31AE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: ResumeThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 947044025-0
                                                                                                    • Opcode ID: 70d550818d35de2ab2fdaabf927ca5dfef940d8702be7a8bf1fef2c2206699a5
                                                                                                    • Instruction ID: 72e9f85c439214e822e3eedcbf11798c6c744a27b0813c30c35c8dffb896b024
                                                                                                    • Opcode Fuzzy Hash: 70d550818d35de2ab2fdaabf927ca5dfef940d8702be7a8bf1fef2c2206699a5
                                                                                                    • Instruction Fuzzy Hash: D7219AB8D002189FCF10CFA9D984ADEFBF1AB08324F14941AE818B7300D735A945CF65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA3130, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ResumeThread.KERNELBASE(?), ref: 04AA31AE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: ResumeThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 947044025-0
                                                                                                    • Opcode ID: 5d10378bc8697e522888cd2f71c2a0c2fbc91bd2daebfca127820b8d1a9f991e
                                                                                                    • Instruction ID: acc14fbfd33b976b2311f3ecd44659d483f439b32b8f0c63547a311fa745bee3
                                                                                                    • Opcode Fuzzy Hash: 5d10378bc8697e522888cd2f71c2a0c2fbc91bd2daebfca127820b8d1a9f991e
                                                                                                    • Instruction Fuzzy Hash: 6C2177B8D002189FCF10CFA9D984ADEFBF4AB49324F14901AE819B7310D775A945CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00D5D4D8, Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.441856820.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 95ea354e18eb445e52f9d6ca2084323856b89c96049a0aefa38c42dbe3056f3c
                                                                                                    • Instruction ID: a3fd5583e0895438f115cf2f76b40cdbdaf48b40db15a45671e49c40dda3a62b
                                                                                                    • Opcode Fuzzy Hash: 95ea354e18eb445e52f9d6ca2084323856b89c96049a0aefa38c42dbe3056f3c
                                                                                                    • Instruction Fuzzy Hash: FE2145B1504200DFCF21CF14C9C0B16BB66FB98329F348569EC050B24AD336D84ADBB2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00D5D3EC, Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.441856820.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7290b1bbac80e21cd80262c9228eb7da97cd6a9d7f88d797c7aa8546a5d85db7
                                                                                                    • Instruction ID: 2bb8ace646ec6aea0de9325111b59661ccc54701d96c9932ca918fc86c096925
                                                                                                    • Opcode Fuzzy Hash: 7290b1bbac80e21cd80262c9228eb7da97cd6a9d7f88d797c7aa8546a5d85db7
                                                                                                    • Instruction Fuzzy Hash: 942142B1504204EFCF21DF50C8C0B26BB66FB98325F24C569ED490B206C336E84ADBB2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00D6D1D4, Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.441901348.0000000000D6D000.00000040.00000001.sdmp, Offset: 00D6D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 10e38b731436a26547449fccc935a5aa4c2925ed8eb5469203f407792371cb07
                                                                                                    • Instruction ID: 96020aa0333cc3b598bcc06929c2c517cc3ba668bc3ffabf89c51c9e0e587d5a
                                                                                                    • Opcode Fuzzy Hash: 10e38b731436a26547449fccc935a5aa4c2925ed8eb5469203f407792371cb07
                                                                                                    • Instruction Fuzzy Hash: 6F2107B1A04344EFDB01CF54E5D0B26BB66FB88318F34C96DE8494B246C736D846CA71
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00D6D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.441901348.0000000000D6D000.00000040.00000001.sdmp, Offset: 00D6D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 31bb99d692780fff56691c8d17098f11aa5d47967f377936c620cec13c85c4f4
                                                                                                    • Instruction ID: 5a03dcc383393e83aa5194d0fc5902e386b59f35c0c73c21a5997ef6ebb1b759
                                                                                                    • Opcode Fuzzy Hash: 31bb99d692780fff56691c8d17098f11aa5d47967f377936c620cec13c85c4f4
                                                                                                    • Instruction Fuzzy Hash: AA21F575A04244DFCB14CF14E5C4B16BB66FB88314F24C969E8494B246C737D846CA71
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00D6D005, Relevance: .1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.441901348.0000000000D6D000.00000040.00000001.sdmp, Offset: 00D6D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 99d453986c2fa23c9591689b6765f7c58b0895caa64715e729f91acb3e04290a
                                                                                                    • Instruction ID: 3c2a0278c9fdf6b7e76390eb8f7ca5f65f4031ebf5146871f78adc2822c33674
                                                                                                    • Opcode Fuzzy Hash: 99d453986c2fa23c9591689b6765f7c58b0895caa64715e729f91acb3e04290a
                                                                                                    • Instruction Fuzzy Hash: 0E2150755093C09FCB12CF24D994B15BF72EB46314F28C5EAD8498B697C33A984ACB62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00D5D4D3, Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.441856820.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                                                    • Instruction ID: 5b0054fa2fef0acd3f7fb1c817a29af3972d9c05e77bc9d0623b070934b90d84
                                                                                                    • Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                                                    • Instruction Fuzzy Hash: 2011AF76404280DFCF16CF10D5C4B16BF72FB95325F2886A9DC450B656C33AD85ACBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00D5D3E7, Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.441856820.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                                                    • Instruction ID: fc1fc096b2104522fd02b4d6b481cb0e541e20991aa909acb4fb7805873d94c9
                                                                                                    • Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                                                    • Instruction Fuzzy Hash: 86119D76404280DFCF11CF10D5C4B16BF62FB94324F28C6A9DC490A656C33AE85ACBA2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00D6D1CF, Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.441901348.0000000000D6D000.00000040.00000001.sdmp, Offset: 00D6D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                                                                                                    • Instruction ID: 1df1b3970cdafff502d8e566a2b5a03b30289ae9569c42ad648c9c374524333b
                                                                                                    • Opcode Fuzzy Hash: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                                                                                                    • Instruction Fuzzy Hash: 14118B75A04280DFCB11CF10D5D4B15BBB2FB88324F28C6AED8494B656C33AD84ACB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00D5D745, Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.441856820.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9c87547307e20d835f2a195092c6c9bc2e570461a1eec3a68e4de8178c288b91
                                                                                                    • Instruction ID: 1952f44e8b966427e4ce85987334b7e42018b0bd039ecd32b29f2e405d274263
                                                                                                    • Opcode Fuzzy Hash: 9c87547307e20d835f2a195092c6c9bc2e570461a1eec3a68e4de8178c288b91
                                                                                                    • Instruction Fuzzy Hash: B90147714083809AEF208F15CC84B66BB98DF49369F18841AEE064B242D7799C48C6B2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00D5D744, Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.441856820.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3878c8fda258c434013c2ab18fe0b783ded7ea869a0b8acf562a20e741ec095c
                                                                                                    • Instruction ID: 71e6b2aa7e3fcd8b2941a212959436cf20b284dede7687ad341c08109494ad99
                                                                                                    • Opcode Fuzzy Hash: 3878c8fda258c434013c2ab18fe0b783ded7ea869a0b8acf562a20e741ec095c
                                                                                                    • Instruction Fuzzy Hash: 6AF0C8714043849BEB208E15CCC4B62FB98DB55774F18C45AED094B286D3755C48CAB1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0570EC08, Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448070861.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 32d519fe41a3b31d579419c9785c89bc2c5952418d8b358d3c26dc645731a2c4
                                                                                                    • Instruction ID: d8e6155b775ef1fa699cfc336e9ab3eb40971c99b080aca3944fb84852c7462d
                                                                                                    • Opcode Fuzzy Hash: 32d519fe41a3b31d579419c9785c89bc2c5952418d8b358d3c26dc645731a2c4
                                                                                                    • Instruction Fuzzy Hash: F6D01234D0520C9BC714DFB9E44569EBBF4AB48204F10C5AAD80863340D7711A45CF85
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0570EA98, Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448070861.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8ff074bae94b9024252654b45ba04d462da9b882ce3c9ffd7448914026c7d971
                                                                                                    • Instruction ID: 56a7f0a02d47bfb9f5f3792e49295fddbb4c7b56c0e1da8263b5efba974c1ea5
                                                                                                    • Opcode Fuzzy Hash: 8ff074bae94b9024252654b45ba04d462da9b882ce3c9ffd7448914026c7d971
                                                                                                    • Instruction Fuzzy Hash: ACE0EC70D1420CEFCB44DFB9D54539DBBF8AB48204F1085AAD808E3340EB745A44CF81
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Non-executed Functions

                                                                                                    Function 05708E21, Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448070861.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Rukv
                                                                                                    • API String ID: 0-756405483
                                                                                                    • Opcode ID: 540b9144f5dcca6852e16552fd92c9716f45c9910904acfc554d5bfbd769ec13
                                                                                                    • Instruction ID: 44126048971a1b16c2cdd26896c8a0155684bf1e8fb759fa50c344ac7ef88c4b
                                                                                                    • Opcode Fuzzy Hash: 540b9144f5dcca6852e16552fd92c9716f45c9910904acfc554d5bfbd769ec13
                                                                                                    • Instruction Fuzzy Hash: D361D074E01249EFCB58CFA9D94459EBBF2FB88300F14D52AE829A7358DB34A9418F51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05708E30, Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448070861.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Rukv
                                                                                                    • API String ID: 0-756405483
                                                                                                    • Opcode ID: d7dfc57cfaa612b68fcd9bf57bad0f1154e3ff993a2e0064e660ae659c8730bc
                                                                                                    • Instruction ID: 7251befa845b60d2fcfb954c5d198c73929dfbfd556f892bf26b1ae9c51d3859
                                                                                                    • Opcode Fuzzy Hash: d7dfc57cfaa612b68fcd9bf57bad0f1154e3ff993a2e0064e660ae659c8730bc
                                                                                                    • Instruction Fuzzy Hash: ED61B174E01249DFCB58CFA9D8445AEBBF2FB88300F14952AE829A7358D734A9418F55
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05708B88, Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448070861.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: "T`
                                                                                                    • API String ID: 0-2213767920
                                                                                                    • Opcode ID: dd7d2b9b2f976c86571a040ccbe88f01d605341862a0c9520e155c65c3b698b3
                                                                                                    • Instruction ID: 9cc2d1fa34d7c8cbd5a00d26a5ef46e389f901b1bc77cfadf1e9daa1f0cc690e
                                                                                                    • Opcode Fuzzy Hash: dd7d2b9b2f976c86571a040ccbe88f01d605341862a0c9520e155c65c3b698b3
                                                                                                    • Instruction Fuzzy Hash: A05104B4E05209DBCB04CFA9D4406EEFBF2FB88310F10A52AD405B7354E7349A418F95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05708B85, Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448070861.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: "T`
                                                                                                    • API String ID: 0-2213767920
                                                                                                    • Opcode ID: b5767e5c8b36d10680a05c8141d95719cdff4714f41c38932df598688eb74200
                                                                                                    • Instruction ID: 1668a95159159d00e23d2ac25d2a0a303b25680dad284d01878cc417c395aced
                                                                                                    • Opcode Fuzzy Hash: b5767e5c8b36d10680a05c8141d95719cdff4714f41c38932df598688eb74200
                                                                                                    • Instruction Fuzzy Hash: 9841E3B4E0520AEBCB04CFA9E4446EEFBF2BF88310F14A52AD405B7254E7349A419B95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0570D278, Relevance: .7, Instructions: 726COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448070861.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9c6d1745d9c22f31a9732f8ea36f1a4df653cdb87e71e151b9431f86f8fac4cc
                                                                                                    • Instruction ID: 369e5f2ff718fa9cc2b68cb19682eb6b930b66640200bed87fdb4b697e435522
                                                                                                    • Opcode Fuzzy Hash: 9c6d1745d9c22f31a9732f8ea36f1a4df653cdb87e71e151b9431f86f8fac4cc
                                                                                                    • Instruction Fuzzy Hash: 14525B35B04215DFCB24DFA9C488AADB7F6FF89314B159569E8069B3A0DB31EC01DB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA0881, Relevance: .2, Instructions: 169COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4b30bdbdd6fd2ab7e3672b217ebda0b24aaf8313356e1282a2ef4fc86db80be7
                                                                                                    • Instruction ID: 68302dae51a834857bb0ff85a6e30902494b9d1fb02eae6ced8874ccc1fe3906
                                                                                                    • Opcode Fuzzy Hash: 4b30bdbdd6fd2ab7e3672b217ebda0b24aaf8313356e1282a2ef4fc86db80be7
                                                                                                    • Instruction Fuzzy Hash: EE61E674E05219DFCB44CFA9D4455AEBBF2FF89300F10952AD406B7304EB34AA528F95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00DC0471, Relevance: .1, Instructions: 112COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.442056304.0000000000DC0000.00000040.00000001.sdmp, Offset: 00DC0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fe22580ebad2496e705817b35129fd1c8c6102a096d3acc1e810832b9d78f624
                                                                                                    • Instruction ID: cdbbf01ce3303b013ab084ac51491f8d9f0e6ab9e7e986e6b5852e893eaf99fe
                                                                                                    • Opcode Fuzzy Hash: fe22580ebad2496e705817b35129fd1c8c6102a096d3acc1e810832b9d78f624
                                                                                                    • Instruction Fuzzy Hash: 75417B71E156598BEB28CF6B8D4469AFBF3BFC9300F14C1BAC54CA6265DB300A858F11
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA0007, Relevance: .1, Instructions: 105COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1204a34905c4312f6f3e25a91292770c77562f5a747b38d42156daf4df353479
                                                                                                    • Instruction ID: 054320f86456bb55b8bcc9fd58e02eb2e96469035dc612e7985ce964dc735f39
                                                                                                    • Opcode Fuzzy Hash: 1204a34905c4312f6f3e25a91292770c77562f5a747b38d42156daf4df353479
                                                                                                    • Instruction Fuzzy Hash: 9E41A970E196498FDB09CF6AD84179EBBB2EF89304F14C0AAD408EB266DB305A01CF51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 04AA0040, Relevance: .1, Instructions: 93COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.446627286.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6f41c86a9dbda0533237276aea9639701cf93d2c0dd9b72f12da8de52ba55a0a
                                                                                                    • Instruction ID: 64f37a02ac25ad2f5b11aada67d0291a850c02b2ecfb422ad0d061e1188ce086
                                                                                                    • Opcode Fuzzy Hash: 6f41c86a9dbda0533237276aea9639701cf93d2c0dd9b72f12da8de52ba55a0a
                                                                                                    • Instruction Fuzzy Hash: 4E313770E156198FDB18CFAAD840B9EFBB6FF88314F14C16AE408A7355DB30AA518F50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 057094A8, Relevance: .1, Instructions: 89COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448070861.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c2e6d20f38dec331b29ea632f308d73486d309dc4190439f1826a4009dda5fd6
                                                                                                    • Instruction ID: e17d9ba7de35c9f470b11466bfe30533eacad19195258817ef4d28e5d3d622e3
                                                                                                    • Opcode Fuzzy Hash: c2e6d20f38dec331b29ea632f308d73486d309dc4190439f1826a4009dda5fd6
                                                                                                    • Instruction Fuzzy Hash: 9D4171B1E016188BEB18CFA7D95439EFAF7BBC8304F14C169D518AB294DB7509458F90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05705638, Relevance: .1, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448070861.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 33ee022b4a81a5144644c10d22c1d15c81bc208e114ca7ce83ee7b2ccd67f2b1
                                                                                                    • Instruction ID: 8bc58f6b21ce5a1e6ced62bd00129dbd97fa7e0f87bf7872da80ba5f180e7fed
                                                                                                    • Opcode Fuzzy Hash: 33ee022b4a81a5144644c10d22c1d15c81bc208e114ca7ce83ee7b2ccd67f2b1
                                                                                                    • Instruction Fuzzy Hash: AC3182B1E016188BEB18CFABC9543DEFAF3AFC8304F14D16AC508AB294DB7509458F50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05705628, Relevance: .1, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448070861.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dc587a627598ee259c495683db3a563a96e2305374d10c4a87c3c9b1f082c36f
                                                                                                    • Instruction ID: 1585faa4dffb5e09a430ba1e3a72473acfe0e1c99f7556a8573027d80996dd0f
                                                                                                    • Opcode Fuzzy Hash: dc587a627598ee259c495683db3a563a96e2305374d10c4a87c3c9b1f082c36f
                                                                                                    • Instruction Fuzzy Hash: 3D41A3B1E016188BEB18CFA7C95438EFAF3BFC9304F14C16AC448AB295DB7509468F51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05709498, Relevance: .1, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.448070861.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fed4c46df3d45f37dabb42851360f967321e0532bee8dc546cc9a68709ede472
                                                                                                    • Instruction ID: 0da88d595c52a4e1d1e2340e0b9f4faba5f0e38604e1be423be63ce8c4c5b6c6
                                                                                                    • Opcode Fuzzy Hash: fed4c46df3d45f37dabb42851360f967321e0532bee8dc546cc9a68709ede472
                                                                                                    • Instruction Fuzzy Hash: 1A4176B1D056188BEB18CFA7C95478EFAF3BFC8304F14C169D518AB295DB7509458F90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Analysis Process: RegSvcs.exe PID: 6676 Parent PID: 6688 RegSvcs.exeCOMMON

                                                                                                    Executed Functions

                                                                                                    Function 05FB58F4, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05FBB633
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.601154964.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: NameUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2645101109-0
                                                                                                    • Opcode ID: 3daa82d87fe09a405633c9e5404e593e48e8e53e3c4da32fa3390a6c288446dc
                                                                                                    • Instruction ID: 6bffb06b66e9721a917e9d2a464e7535dfa33afbf0352ef42cabfaf3447884f6
                                                                                                    • Opcode Fuzzy Hash: 3daa82d87fe09a405633c9e5404e593e48e8e53e3c4da32fa3390a6c288446dc
                                                                                                    • Instruction Fuzzy Hash: F4510471E00218CFEB14CFAAC885BDDBBB6BF48314F148569E815BB355D7B89844CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 014B6AE3, Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32 ref: 014B6B60
                                                                                                    • GetCurrentThread.KERNEL32 ref: 014B6B9D
                                                                                                    • GetCurrentProcess.KERNEL32 ref: 014B6BDA
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 014B6C33
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596871806.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: Current$ProcessThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2063062207-0
                                                                                                    • Opcode ID: 06f6f806b020f4b8981f27a588e8f174e5e3dcb2faee03b05242972be94f7226
                                                                                                    • Instruction ID: eeb8f58d6e1117ae088e1992147a90e5013b34c57fe9c85e3b469a680cc7f3a9
                                                                                                    • Opcode Fuzzy Hash: 06f6f806b020f4b8981f27a588e8f174e5e3dcb2faee03b05242972be94f7226
                                                                                                    • Instruction Fuzzy Hash: 805146B09042498FDB14CFA9CA88BEEBFF0EF49318F14845AE159A73A1D7346944CB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 014B6B00, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32 ref: 014B6B60
                                                                                                    • GetCurrentThread.KERNEL32 ref: 014B6B9D
                                                                                                    • GetCurrentProcess.KERNEL32 ref: 014B6BDA
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 014B6C33
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596871806.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: Current$ProcessThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2063062207-0
                                                                                                    • Opcode ID: 15aa37c923c775134bb5dfb58b7cc5c89b58a6770ecb299d1cee42a36ce386e1
                                                                                                    • Instruction ID: 46ea196f6aa66fb70740ffcba8474bdbc45e11bf9b1f7e318179a5d373916339
                                                                                                    • Opcode Fuzzy Hash: 15aa37c923c775134bb5dfb58b7cc5c89b58a6770ecb299d1cee42a36ce386e1
                                                                                                    • Instruction Fuzzy Hash: 9B5167B0D002498FDB14CFAAC688BEEBBF1EF48314F24845AE119A7360DB746944CF61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05FBB4EC, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05FBB633
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.601154964.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: NameUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2645101109-0
                                                                                                    • Opcode ID: 7f251de62f93466245fe728d8b94f8d818ee925fdbb151259fe3c2da6064b836
                                                                                                    • Instruction ID: 3c294a5652f2953e05fe7eef47a7051df670db932e3294a25746b58eb2f24c43
                                                                                                    • Opcode Fuzzy Hash: 7f251de62f93466245fe728d8b94f8d818ee925fdbb151259fe3c2da6064b836
                                                                                                    • Instruction Fuzzy Hash: 385124B1E00218CFEB14CFAAC885BEDBBB2BF48314F148559E855BB355D7B89844CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05FB923C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05FBB633
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.601154964.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: NameUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2645101109-0
                                                                                                    • Opcode ID: 9fc323a9a30d6e175c24bc70f3a484563219e9fd6d0751fe124ad5d65230ab69
                                                                                                    • Instruction ID: 445e51032f18ac745129e6b44e24e1d6c011a8fd483f26eef27524dd8b03ef53
                                                                                                    • Opcode Fuzzy Hash: 9fc323a9a30d6e175c24bc70f3a484563219e9fd6d0751fe124ad5d65230ab69
                                                                                                    • Instruction Fuzzy Hash: 95510471E00218CFEB14CFAAC885BDDBBB6BF48314F548169E815BB355D7B89844CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 014B5244, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014B5362
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596871806.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: CreateWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 716092398-0
                                                                                                    • Opcode ID: d06a9928eb4a63a55701db41be033eebde5c723f4fe6269f6adb680664912e4f
                                                                                                    • Instruction ID: a4f37345d8e945264062a7a46c6e4964fcdb3bc3bc1bd89e124d8747c407b7ef
                                                                                                    • Opcode Fuzzy Hash: d06a9928eb4a63a55701db41be033eebde5c723f4fe6269f6adb680664912e4f
                                                                                                    • Instruction Fuzzy Hash: 1251BEB1D003499FDB14CF9AC884ADEFBB5BF48314F64852AE819AB350D774A885CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 014B5250, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014B5362
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596871806.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: CreateWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 716092398-0
                                                                                                    • Opcode ID: 9a94b63dbb80c6f0bb1509b24df8cae4bf199469e319ee937641f66fc2031ab6
                                                                                                    • Instruction ID: 3710092e5e5f12724fa5ee0987b7d9ef4bad8c76433b6000048ef721dad24a3f
                                                                                                    • Opcode Fuzzy Hash: 9a94b63dbb80c6f0bb1509b24df8cae4bf199469e319ee937641f66fc2031ab6
                                                                                                    • Instruction Fuzzy Hash: AD41ADB1D103499FDB14CF9AC884ADEFBB5BF48314F24852AE819AB350D774A885CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 014B6A34, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 014B7CB9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596871806.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: CallProcWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2714655100-0
                                                                                                    • Opcode ID: b66afb8683afd1d2ffc650d555f030082d5431a7e2ada559923c55fa5d110c2b
                                                                                                    • Instruction ID: 4ac3fc8ad5f6d5899ef030354e286b3161854d079cad2c67c1f63e21780a9e84
                                                                                                    • Opcode Fuzzy Hash: b66afb8683afd1d2ffc650d555f030082d5431a7e2ada559923c55fa5d110c2b
                                                                                                    • Instruction Fuzzy Hash: E64129B5A00605DFDB14CF99C488AAABBF5FF88314F14845AE519AB361D734A941CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05FBB948, Relevance: 1.6, APIs: 1, Instructions: 93fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteFileW.KERNELBASE(00000000), ref: 05FBBA18
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.601154964.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: DeleteFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 4033686569-0
                                                                                                    • Opcode ID: 3f7d0186c08b0bd3b31d25bf09ee37072f61a6014bc726905edd71a9c54b6632
                                                                                                    • Instruction ID: 88f812458f17d6e2a8fc0f33cb15ef72596988b7b161a339f97102a7e265186d
                                                                                                    • Opcode Fuzzy Hash: 3f7d0186c08b0bd3b31d25bf09ee37072f61a6014bc726905edd71a9c54b6632
                                                                                                    • Instruction Fuzzy Hash: A6317A71D0060ADFDB00CFAAC8457EEBBF5EB48324F05C16AD858A7340DB78A945CBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05FB9258, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,05FBBF97), ref: 05FBC027
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.601154964.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2492992576-0
                                                                                                    • Opcode ID: bdf9103b31dc689d395a5e539364f4931fc399313926654784444c47ff28c2c3
                                                                                                    • Instruction ID: 5095c1e3e3baeaeece31a39aa52123da2020a0b99024938d3431cf932dd5e0a3
                                                                                                    • Opcode Fuzzy Hash: bdf9103b31dc689d395a5e539364f4931fc399313926654784444c47ff28c2c3
                                                                                                    • Instruction Fuzzy Hash: 6E21DDB2C083488FEB10DFA9D8857DEBBF4EF45328F14445AD555E7241D3B99804CBA2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05FBC598, Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.601154964.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 220874293-0
                                                                                                    • Opcode ID: bfc75228cfd4f24c0e987b6bc5a19bb4a6b23e46b6205a83068d2cac1092c1c2
                                                                                                    • Instruction ID: 97ded0bff38e51e6ab190e70428a4d7b40c5c97b07231d549413e483bffa3ced
                                                                                                    • Opcode Fuzzy Hash: bfc75228cfd4f24c0e987b6bc5a19bb4a6b23e46b6205a83068d2cac1092c1c2
                                                                                                    • Instruction Fuzzy Hash: A531E2B4E00209DFDB10DF99C985BDEBBF5AF48318F148419E409BB394D7B4A945CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05FBCC8D, Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.601154964.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 220874293-0
                                                                                                    • Opcode ID: 2459775775bd05b7ea53de2cd5d5b8076f04d08afccc41642156447604f68057
                                                                                                    • Instruction ID: c295399e53d3ec1d1c97a8cd91950d509783c2ff759ea6b05dece7e431a3cad6
                                                                                                    • Opcode Fuzzy Hash: 2459775775bd05b7ea53de2cd5d5b8076f04d08afccc41642156447604f68057
                                                                                                    • Instruction Fuzzy Hash: A331EFB4A00249DFDB14CF99D885BDEBFB5AF48318F148019E409AB394D7B4A949CB51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 014B6D20, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014B6DAF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596871806.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: DuplicateHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3793708945-0
                                                                                                    • Opcode ID: 5c7ccf39edd8e893adefb77744ff094bdd09f7751e3f68b4c621f774a38dd747
                                                                                                    • Instruction ID: e56f8b7dd19a088d54d972991de119208e738d5ecd0b71d025889f739b79ffe1
                                                                                                    • Opcode Fuzzy Hash: 5c7ccf39edd8e893adefb77744ff094bdd09f7751e3f68b4c621f774a38dd747
                                                                                                    • Instruction Fuzzy Hash: E421E4B5900208AFDF10CF9AD984ADEBFF8EB48324F14841AE914B7310D778A955CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 014B6D28, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014B6DAF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596871806.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: DuplicateHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3793708945-0
                                                                                                    • Opcode ID: 3f6f9f046d2096d8a6953c2222024c7d18d579009a353810cbbfd3c9b0617ab8
                                                                                                    • Instruction ID: 828ea9861111284133db8243ce6e1fbbb927045913166118bb649689ec6d37d4
                                                                                                    • Opcode Fuzzy Hash: 3f6f9f046d2096d8a6953c2222024c7d18d579009a353810cbbfd3c9b0617ab8
                                                                                                    • Instruction Fuzzy Hash: B321D3B5D002089FDB10CFAAD984ADEBBF8FB48324F15841AE914A7350D774A955CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05FB9248, Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteFileW.KERNELBASE(00000000), ref: 05FBBA18
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.601154964.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: DeleteFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 4033686569-0
                                                                                                    • Opcode ID: 0372bc8694d7dc4587068a07898aaf2d1d5b3d103a65ee30823a8a4fb39a32b4
                                                                                                    • Instruction ID: b630fa52ba767c98edbf51f033ae58cb6d280647f6ddc8afa6de452a5f37f792
                                                                                                    • Opcode Fuzzy Hash: 0372bc8694d7dc4587068a07898aaf2d1d5b3d103a65ee30823a8a4fb39a32b4
                                                                                                    • Instruction Fuzzy Hash: 922113B2D046199FDB10CF9AC5447EEFBB4EF48224F05812AD819B7240D778A945CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 014BC1A8, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 014BC232
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596871806.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: EncodePointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 2118026453-0
                                                                                                    • Opcode ID: 400b6b5afe4656031d0665f569e7b9c9af0f851e84775ebc3b2c37e0bc0da932
                                                                                                    • Instruction ID: 4a899a058772ef30f5ef6516e09206c783f6e252336ec7b1a02d83079e8cdbdd
                                                                                                    • Opcode Fuzzy Hash: 400b6b5afe4656031d0665f569e7b9c9af0f851e84775ebc3b2c37e0bc0da932
                                                                                                    • Instruction Fuzzy Hash: B2219AB29003058FDB20DFAAD9887EABFF4EB08318F10842AD408A6641C73869458FB5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 014BC1B8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 014BC232
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596871806.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: EncodePointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 2118026453-0
                                                                                                    • Opcode ID: f889fb4df6c1b1633be6c7dc098a0c8910c1d48b168c0547d0f86bf3d73b2bac
                                                                                                    • Instruction ID: 567ba2252c43b8574d645c56cc44dccb4055244f862fcab69a6164d5021e9ef9
                                                                                                    • Opcode Fuzzy Hash: f889fb4df6c1b1633be6c7dc098a0c8910c1d48b168c0547d0f86bf3d73b2bac
                                                                                                    • Instruction Fuzzy Hash: 38116DB19003058FDB20DFAAD9887EEBBF4FB48314F10842AD509A7744CB3869448FA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05FBBA57, Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteFileW.KERNELBASE(00000000), ref: 05FBBA18
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.601154964.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: DeleteFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 4033686569-0
                                                                                                    • Opcode ID: 7d6680f6f75d9ee30065955898262afe5094c915216d74f79760a788da82f8d2
                                                                                                    • Instruction ID: b217ae35cf0306ed72c0bb7bd3c9665e0098dddd0e8ea824b75c1807565a9052
                                                                                                    • Opcode Fuzzy Hash: 7d6680f6f75d9ee30065955898262afe5094c915216d74f79760a788da82f8d2
                                                                                                    • Instruction Fuzzy Hash: A911EDB5E00206CFEB00DB9AD4057E9B7E4BF48314F158165E948EB341D3B9E846CBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05FBBFC0, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,05FBBF97), ref: 05FBC027
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.601154964.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2492992576-0
                                                                                                    • Opcode ID: 4f7ea65fe289fdbc295af7d6ffd7e3604911bf81384c678e7722a9333c8c5819
                                                                                                    • Instruction ID: 0d5756156460447891466c6567a469095781a215a28b21b88fc6064c87a66cea
                                                                                                    • Opcode Fuzzy Hash: 4f7ea65fe289fdbc295af7d6ffd7e3604911bf81384c678e7722a9333c8c5819
                                                                                                    • Instruction Fuzzy Hash: 351133B1904209CFDB10DF9AD885BDEFBF8EB89324F24841AD519A7300C778A945CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05FB928C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,05FBBF97), ref: 05FBC027
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.601154964.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2492992576-0
                                                                                                    • Opcode ID: db33340a5502e5b96d4360d262ecbfae7ce5d03b7c712fd9fc9783abb06a7488
                                                                                                    • Instruction ID: 9f670557d0468b0c94792fcfd9b4f7ea35458473ffd0f94ccf8d75abc971e690
                                                                                                    • Opcode Fuzzy Hash: db33340a5502e5b96d4360d262ecbfae7ce5d03b7c712fd9fc9783abb06a7488
                                                                                                    • Instruction Fuzzy Hash: 2211F5B1904209DFDB10DF9AD888BEEBBF8EB49324F14841AD519B7350D778A944CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05FB94DC, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OleInitialize.OLE32(00000000), ref: 05FBCBA5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.601154964.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: Initialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2538663250-0
                                                                                                    • Opcode ID: ea9f2b7777b45d96f870b95194e7e37a4d8b7c3c00ef248f27d46b7696f8be12
                                                                                                    • Instruction ID: fdc12098603e086b1e9835a0ef0b8c440070c9394cd429b5460333032438f3bf
                                                                                                    • Opcode Fuzzy Hash: ea9f2b7777b45d96f870b95194e7e37a4d8b7c3c00ef248f27d46b7696f8be12
                                                                                                    • Instruction Fuzzy Hash: CD1115B5904249CFDB10CF9AD588BDEBBF4EB48324F108459E519B7300C778A944CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 05FBCB48, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OleInitialize.OLE32(00000000), ref: 05FBCBA5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.601154964.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID: Initialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2538663250-0
                                                                                                    • Opcode ID: 500abd8361454d243fb55a8ca7f32d3018bca736bad97049dab5a6fcc1cff6ab
                                                                                                    • Instruction ID: 825a4f6695594b7327a05188ed7468fd950e04028f4e7ce3643bc81821c74110
                                                                                                    • Opcode Fuzzy Hash: 500abd8361454d243fb55a8ca7f32d3018bca736bad97049dab5a6fcc1cff6ab
                                                                                                    • Instruction Fuzzy Hash: 341115B5D042498FDB10CF9AD585BDEBBF4EB48324F14841AD559B7300C778A944CFA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0101D450, Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596084866.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c322172a99ac8d7e284a439f58dd1bc1d6f8947223be6268e08af5bc9c4db307
                                                                                                    • Instruction ID: 99b18df3fa6ae450bb3058cf283260f1c3cdf64a7cbaed09a7528847f25c6611
                                                                                                    • Opcode Fuzzy Hash: c322172a99ac8d7e284a439f58dd1bc1d6f8947223be6268e08af5bc9c4db307
                                                                                                    • Instruction Fuzzy Hash: C3212871544240DFDB01DF94D9C8B6BBFA5FB88324F2485A9E9454B20BC73AE845C7A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0101D53C, Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596084866.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d11a0340977759def0f578ab5e33417ea96416aa3b70bb59734eb619801bf482
                                                                                                    • Instruction ID: 8a15472c519d18e7ded3e815df641c0ace766473a49f77cda2c1c4f87e744103
                                                                                                    • Opcode Fuzzy Hash: d11a0340977759def0f578ab5e33417ea96416aa3b70bb59734eb619801bf482
                                                                                                    • Instruction Fuzzy Hash: 39216AB1504340DFCB01DF94D8C8B1BBFA5FB88328F2085A9E8454B24AC33AD846D7A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0102D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596128875.000000000102D000.00000040.00000001.sdmp, Offset: 0102D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2cb8b58bfdaf9a48969f8cdea84e87b6dd64c8beedcc8682f5680c0ff7f1c338
                                                                                                    • Instruction ID: 4d425a5d11807e841b7044e7a72b8f2e1bf4559e8b2070497b491058b6f8f997
                                                                                                    • Opcode Fuzzy Hash: 2cb8b58bfdaf9a48969f8cdea84e87b6dd64c8beedcc8682f5680c0ff7f1c338
                                                                                                    • Instruction Fuzzy Hash: 66210371504240DFCB11CF94D4C4B1ABBA5FB84354F20C9A9E9894B256C73ADC46CB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0102D006, Relevance: .1, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596128875.000000000102D000.00000040.00000001.sdmp, Offset: 0102D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bcb9b3341cc5672369036e404ee724398e9d3cea73b79a52bcdc995608aa78ce
                                                                                                    • Instruction ID: 59dc00ba21655c7081b5e32f4f3df41663a9f676a2df60c0bd6a3ad3dee40c18
                                                                                                    • Opcode Fuzzy Hash: bcb9b3341cc5672369036e404ee724398e9d3cea73b79a52bcdc995608aa78ce
                                                                                                    • Instruction Fuzzy Hash: E52180754083809FCB12CF64D9D4B11BFB1EB46214F28C5DAD8858F2A7C33A985ACB62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0101D44B, Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596084866.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                                                    • Instruction ID: 4362037b1182cab4b95c79d25e504bd4a583b412f1cf31bd304f42484ac5ebf2
                                                                                                    • Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                                                    • Instruction Fuzzy Hash: 3611B176404280DFDB12CF54D5C4B16BFB1FB84324F2486A9D8450B65BC33AD45ACBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0101D537, Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.596084866.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                                                    • Instruction ID: 495c508e05ebaba06918b1a378eb60bf800c7dc53d27de1289ad5b497882062c
                                                                                                    • Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                                                                                                    • Instruction Fuzzy Hash: A511D376404280DFCB02CF54D5C4B16BFB2FB88324F24C6A9D8494B65AC33AD55ACBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Non-executed Functions

                                                                                                    Analysis Process: NewApp.exe PID: 6868 Parent PID: 3440 NewApp.exeCOMMON

                                                                                                    Executed Functions

                                                                                                    Function 01690F38, Relevance: .6, Instructions: 576COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.510186202.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 987b730303b32338af808e39a663ca9bb1be8d6590a2cf218b2d870e67c3fa39
                                                                                                    • Instruction ID: 3a6859baf3b014f879f10f8c2887ce8bea87511c7028b888a9e0bb703237100b
                                                                                                    • Opcode Fuzzy Hash: 987b730303b32338af808e39a663ca9bb1be8d6590a2cf218b2d870e67c3fa39
                                                                                                    • Instruction Fuzzy Hash: 7E329174701202CFCB14DF24E99066A77BAFBC9359B20857CD9069B385DB39EC86CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 01690728, Relevance: .4, Instructions: 414COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.510186202.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 61b2a2caceea4ae2da439554c478454d42b48be01bfd3d359bfcd12c8829e87a
                                                                                                    • Instruction ID: 38123e16610d72acc2e9d6ce0f13d72cf6513b694f03607cadf94425fd397894
                                                                                                    • Opcode Fuzzy Hash: 61b2a2caceea4ae2da439554c478454d42b48be01bfd3d359bfcd12c8829e87a
                                                                                                    • Instruction Fuzzy Hash: 0181EF34A003418FDF259F64C8146AEBBBAEF88304F15856DE906AB7A5DF35EC85CB40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 01690E31, Relevance: .1, Instructions: 88COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.510186202.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 74e50a5372df67dbee9834d3f583297fb206c6aee8c56826cdd38bf112e454bf
                                                                                                    • Instruction ID: 1cde2acd02ac5adea1a08f233df6c10ebc545876d5268d75ec2510cd1e4ae386
                                                                                                    • Opcode Fuzzy Hash: 74e50a5372df67dbee9834d3f583297fb206c6aee8c56826cdd38bf112e454bf
                                                                                                    • Instruction Fuzzy Hash: 9B315775B002508FC759AB38C45886D37F1AF8926932209BDE602CF7B5EB36DC42CB80
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 01690E40, Relevance: .1, Instructions: 81COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.510186202.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 53dd5289870e858c249b65fe81ba48d29a8d6a9575308cd87f37f72fb046defe
                                                                                                    • Instruction ID: 2b95d899f2f52c6a858b3f5c21711a99db49e76f873781c0b69df92f8b693961
                                                                                                    • Opcode Fuzzy Hash: 53dd5289870e858c249b65fe81ba48d29a8d6a9575308cd87f37f72fb046defe
                                                                                                    • Instruction Fuzzy Hash: DB21F575B002108FC758AB38C45896D37E6AF8965932209BCE606CF775DB36EC46CB94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 016917F8, Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.510186202.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f392c6ad098a4dc3a36342623cfab7e63fb4988c6362fe11af0563b676185645
                                                                                                    • Instruction ID: 7471eaec4784115dd6f4553bd004bf24f90a32161b446931fb97e66e8c00eadc
                                                                                                    • Opcode Fuzzy Hash: f392c6ad098a4dc3a36342623cfab7e63fb4988c6362fe11af0563b676185645
                                                                                                    • Instruction Fuzzy Hash: 6911A179E002059FCB44DFB4D8849EEFBF5FF89310B2086AAE519A7621D7359945CB80
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 01691808, Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.510186202.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7e368a29104b40fa70aeae9e7a1f5e6dbdf5476049ec0f859117bba35ab21c68
                                                                                                    • Instruction ID: b31d8e20dc60e46d5150cdf250889013f36191588c6b9ef6d928d7cea04ffc2c
                                                                                                    • Opcode Fuzzy Hash: 7e368a29104b40fa70aeae9e7a1f5e6dbdf5476049ec0f859117bba35ab21c68
                                                                                                    • Instruction Fuzzy Hash: 67019279E002059FCB00DFB4D9408DEF7F5FF89310720826AE518A7620EB34A905CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 01690480, Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.510186202.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b23a6b75f098d1c2fae8ca8541a2302f0d12f198de72d0e37f1f54d776238f10
                                                                                                    • Instruction ID: 131b5be7d4bbb01b6cf1c92707450c053611f96409e79959e5da91ecdb79130f
                                                                                                    • Opcode Fuzzy Hash: b23a6b75f098d1c2fae8ca8541a2302f0d12f198de72d0e37f1f54d776238f10
                                                                                                    • Instruction Fuzzy Hash: 13F0AF7090A3569FC702DBB8DD42499BFF8AE83300B1501EBC485DB172D2758B16CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 01690B9C, Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.510186202.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 421c204af65b9304ef8e8a8d28061706545789d4bd67bd476bd5826b2551a88c
                                                                                                    • Instruction ID: 4b5cd216162eea659e155f2500f3d5f87c141e15c299fc2248e204633b410517
                                                                                                    • Opcode Fuzzy Hash: 421c204af65b9304ef8e8a8d28061706545789d4bd67bd476bd5826b2551a88c
                                                                                                    • Instruction Fuzzy Hash: CBF01C719402058FDF14DF64C4587AD7BF8AF48318F250899E102E7795CB759D88CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 016916D8, Relevance: .0, Instructions: 18COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.510186202.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cedd0371a72dcc99130882a0e82c18f8c895680a9a27b24c9323c80340d1cec1
                                                                                                    • Instruction ID: 6fb99c0fa9ce9b4b26a0938f9052552593e2bf389c878e0ac8f10bfa2962b194
                                                                                                    • Opcode Fuzzy Hash: cedd0371a72dcc99130882a0e82c18f8c895680a9a27b24c9323c80340d1cec1
                                                                                                    • Instruction Fuzzy Hash: BFD012757002149FC714EA68E909A557BBCEB45611F104065EA08DB255DB72DC14C7D1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 016904A8, Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.510186202.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: be167e999dc6027b39f7b30b76df602312d183a87487198c636ee3ce7c03010f
                                                                                                    • Instruction ID: b16fabc91a9cde380644a3f2b70f23124807ac15373c3bb6ca5de881a39325c3
                                                                                                    • Opcode Fuzzy Hash: be167e999dc6027b39f7b30b76df602312d183a87487198c636ee3ce7c03010f
                                                                                                    • Instruction Fuzzy Hash: C3D067B1D05229EF8B50EFBD99051DEBBFCEA08650F1045A6D91DE3204E6705A148BD1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Non-executed Functions