Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SOA pdf.exe

Overview

General Information

Sample Name:SOA pdf.exe
Analysis ID:433462
MD5:bbc9e35de9e2839c817ab6776fc6463d
SHA1:bc65f4322261fbf23aa9e58d03e18346a5043bf6
SHA256:1b424eac2b05b856247bfd73d7da0782a0366b48ad797e7f55f1f98b6b0980f9
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • SOA pdf.exe (PID: 6976 cmdline: 'C:\Users\user\Desktop\SOA pdf.exe' MD5: BBC9E35DE9E2839C817AB6776FC6463D)
    • schtasks.exe (PID: 7000 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HNfyrYavn' /XML 'C:\Users\user\AppData\Local\Temp\tmpFDEE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • SOA pdf.exe (PID: 7040 cmdline: {path} MD5: BBC9E35DE9E2839C817AB6776FC6463D)
  • uwmDRDg.exe (PID: 2740 cmdline: 'C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe' MD5: BBC9E35DE9E2839C817AB6776FC6463D)
    • schtasks.exe (PID: 4484 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HNfyrYavn' /XML 'C:\Users\user\AppData\Local\Temp\tmp2FD7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • uwmDRDg.exe (PID: 6740 cmdline: {path} MD5: BBC9E35DE9E2839C817AB6776FC6463D)
  • uwmDRDg.exe (PID: 4752 cmdline: 'C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe' MD5: BBC9E35DE9E2839C817AB6776FC6463D)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "parts@vibranthonda.coRADHE@123smtp.vibranthonda.co"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.898550212.00000000027F6000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000000A.00000000.730746294.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000A.00000000.730746294.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.2.uwmDRDg.exe.38c04b0.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              15.2.uwmDRDg.exe.38c04b0.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                16.2.uwmDRDg.exe.3d00680.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  16.2.uwmDRDg.exe.3d00680.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    15.2.uwmDRDg.exe.38c04b0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "parts@vibranthonda.coRADHE@123smtp.vibranthonda.co"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\HNfyrYavn.exeReversingLabs: Detection: 56%
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeReversingLabs: Detection: 56%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SOA pdf.exeVirustotal: Detection: 55%Perma Link
                      Source: SOA pdf.exeReversingLabs: Detection: 56%
                      Source: 10.0.SOA pdf.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 20.2.uwmDRDg.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 20.0.uwmDRDg.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\SOA pdf.exeUnpacked PE file: 0.2.SOA pdf.exe.4d0000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeUnpacked PE file: 15.2.uwmDRDg.exe.330000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeUnpacked PE file: 16.2.uwmDRDg.exe.7e0000.0.unpack
                      Source: SOA pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: SOA pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_08F04198
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_08F04628
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_08F04628
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_08F0418C
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 4x nop then xor edx, edx0_2_08F04560
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 4x nop then xor edx, edx0_2_08F04554
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_08F042FD
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_08F042FD
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_08F0461D
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_08F0461D
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_08F04308
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_08F04308

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49780 -> 208.91.199.224:587
                      Source: uwmDRDg.exe, 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: uwmDRDg.exe, 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: uwmDRDg.exe, 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmpString found in binary or memory: http://TIlVCz.com
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: SOA pdf.exe, 00000000.00000002.732813153.0000000002977000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.898531199.00000000027E7000.00000004.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.908725677.0000000002C27000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: SOA pdf.exe, 00000000.00000002.735817127.0000000003988000.00000004.00000001.sdmp, SOA pdf.exe, 0000000A.00000000.730746294.0000000000402000.00000040.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.900614886.00000000037F3000.00000004.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.909346446.0000000003C33000.00000004.00000001.sdmp, uwmDRDg.exe, 00000014.00000000.895697326.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: uwmDRDg.exe, 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\SOA pdf.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 10.0.SOA pdf.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b11004A9Cu002d6669u002d46F0u002d8678u002d0F05607DDA88u007d/u00380D9967Fu002dE7BFu002d430Au002dA8EDu002d2F835DC2079D.csLarge array initialization: .cctor: array initializer size 11937
                      Source: 20.2.uwmDRDg.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b11004A9Cu002d6669u002d46F0u002d8678u002d0F05607DDA88u007d/u00380D9967Fu002dE7BFu002d430Au002dA8EDu002d2F835DC2079D.csLarge array initialization: .cctor: array initializer size 11937
                      Source: 20.0.uwmDRDg.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b11004A9Cu002d6669u002d46F0u002d8678u002d0F05607DDA88u007d/u00380D9967Fu002dE7BFu002d430Au002dA8EDu002d2F835DC2079D.csLarge array initialization: .cctor: array initializer size 11937
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_027401A4 NtQueryInformationProcess,0_2_027401A4
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_02743493 NtQueryInformationProcess,0_2_02743493
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 15_2_00C701A4 NtQueryInformationProcess,15_2_00C701A4
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 15_2_00C73491 NtQueryInformationProcess,15_2_00C73491
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_02BC01A4 NtQueryInformationProcess,16_2_02BC01A4
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_02BC3491 NtQueryInformationProcess,16_2_02BC3491
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_02742DA10_2_02742DA1
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_027404700_2_02740470
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_02747C190_2_02747C19
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F070D80_2_08F070D8
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F07C800_2_08F07C80
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F000400_2_08F00040
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F060400_2_08F06040
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F095600_2_08F09560
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F065180_2_08F06518
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F086D00_2_08F086D0
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F03A100_2_08F03A10
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0DBA00_2_08F0DBA0
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F050FF0_2_08F050FF
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F070D20_2_08F070D2
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0E0800_2_08F0E080
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0CC700_2_08F0CC70
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F07C700_2_08F07C70
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0CC6A0_2_08F0CC6A
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0EC200_2_08F0EC20
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0B5F80_2_08F0B5F8
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0B5E90_2_08F0B5E9
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F031D00_2_08F031D0
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F031C00_2_08F031C0
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0E5580_2_08F0E558
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0E5480_2_08F0E548
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F081300_2_08F08130
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F081200_2_08F08120
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F051100_2_08F05110
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F065090_2_08F06509
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0950A0_2_08F0950A
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F086C00_2_08F086C0
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0D2A80_2_08F0D2A8
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0D2900_2_08F0D290
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0B2880_2_08F0B288
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0B2790_2_08F0B279
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0967B0_2_08F0967B
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0BA180_2_08F0BA18
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0A3F00_2_08F0A3F0
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0EBFA0_2_08F0EBFA
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0A3E00_2_08F0A3E0
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0B7E80_2_08F0B7E8
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0BBD00_2_08F0BBD0
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0B7D90_2_08F0B7D9
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0BBCA0_2_08F0BBCA
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0DB900_2_08F0DB90
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F03B280_2_08F03B28
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_0ECE00400_2_0ECE0040
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_0ECE15A00_2_0ECE15A0
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_0ECE15B00_2_0ECE15B0
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_0ECE02D60_2_0ECE02D6
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_0ECE02E50_2_0ECE02E5
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_0ECE02A30_2_0ECE02A3
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_0ECE02480_2_0ECE0248
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_0ECE02640_2_0ECE0264
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_0ECE00060_2_0ECE0006
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 15_2_00C72DA115_2_00C72DA1
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 15_2_00C7047015_2_00C70470
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_02BC2DA116_2_02BC2DA1
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_02BC047016_2_02BC0470
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_02BC7C1916_2_02BC7C19
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_0E72004016_2_0E720040
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_0E7215B016_2_0E7215B0
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_0E7215AD16_2_0E7215AD
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_0E72026416_2_0E720264
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_0E72024816_2_0E720248
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_0E7202E516_2_0E7202E5
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_0E7202D616_2_0E7202D6
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_0E7202A316_2_0E7202A3
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_0E72001F16_2_0E72001F
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_0E72000716_2_0E720007
                      Source: SOA pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: HNfyrYavn.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: uwmDRDg.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SOA pdf.exeBinary or memory string: OriginalFilename vs SOA pdf.exe
                      Source: SOA pdf.exe, 00000000.00000002.746307442.0000000008D90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SOA pdf.exe
                      Source: SOA pdf.exe, 00000000.00000002.732813153.0000000002977000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamezssGGTdVLFRKFFVUlZbcwKclIxjSHIWgFUac.exe( vs SOA pdf.exe
                      Source: SOA pdf.exe, 00000000.00000002.746403557.0000000008DF0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SOA pdf.exe
                      Source: SOA pdf.exe, 00000000.00000002.746403557.0000000008DF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SOA pdf.exe
                      Source: SOA pdf.exe, 00000000.00000002.746071346.0000000008B60000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs SOA pdf.exe
                      Source: SOA pdf.exe, 00000000.00000002.731720921.00000000005D1000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameYkXf.exe& vs SOA pdf.exe
                      Source: SOA pdf.exe, 00000000.00000002.732837793.0000000002982000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs SOA pdf.exe
                      Source: SOA pdf.exe, 00000000.00000002.745488768.0000000008940000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SOA pdf.exe
                      Source: SOA pdf.exe, 0000000A.00000000.730342008.0000000000E81000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameYkXf.exe& vs SOA pdf.exe
                      Source: SOA pdf.exeBinary or memory string: OriginalFilenameYkXf.exe& vs SOA pdf.exe
                      Source: SOA pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 10.0.SOA pdf.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 10.0.SOA pdf.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 20.2.uwmDRDg.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 20.2.uwmDRDg.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 20.0.uwmDRDg.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 20.0.uwmDRDg.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@15/9@0/0
                      Source: C:\Users\user\Desktop\SOA pdf.exeFile created: C:\Users\user\AppData\Roaming\HNfyrYavn.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_01
                      Source: C:\Users\user\Desktop\SOA pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpFDEE.tmpJump to behavior
                      Source: SOA pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SOA pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SOA pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: SOA pdf.exeVirustotal: Detection: 55%
                      Source: SOA pdf.exeReversingLabs: Detection: 56%
                      Source: C:\Users\user\Desktop\SOA pdf.exeFile read: C:\Users\user\Desktop\SOA pdf.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\SOA pdf.exe 'C:\Users\user\Desktop\SOA pdf.exe'
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HNfyrYavn' /XML 'C:\Users\user\AppData\Local\Temp\tmpFDEE.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess created: C:\Users\user\Desktop\SOA pdf.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe 'C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe 'C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe'
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HNfyrYavn' /XML 'C:\Users\user\AppData\Local\Temp\tmp2FD7.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess created: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe {path}
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HNfyrYavn' /XML 'C:\Users\user\AppData\Local\Temp\tmpFDEE.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess created: C:\Users\user\Desktop\SOA pdf.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HNfyrYavn' /XML 'C:\Users\user\AppData\Local\Temp\tmp2FD7.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess created: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: SOA pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SOA pdf.exeStatic file information: File size 1143808 > 1048576
                      Source: SOA pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\SOA pdf.exeUnpacked PE file: 0.2.SOA pdf.exe.4d0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeUnpacked PE file: 15.2.uwmDRDg.exe.330000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeUnpacked PE file: 16.2.uwmDRDg.exe.7e0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\SOA pdf.exeUnpacked PE file: 0.2.SOA pdf.exe.4d0000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeUnpacked PE file: 15.2.uwmDRDg.exe.330000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeUnpacked PE file: 16.2.uwmDRDg.exe.7e0000.0.unpack
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_004D5D8A push edx; ret 0_2_004D5D8B
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_02740191 push ebx; retf 0_2_02740192
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F09422 pushfd ; retf 0_2_08F09424
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F0C6AC push ecx; ret 0_2_08F0C6AD
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_08F06E26 push ss; ret 0_2_08F06E27
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_0ECE0F0F push es; ret 0_2_0ECE0F11
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_0ECE54C5 push FFFFFF8Bh; iretd 0_2_0ECE54C7
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_0ECE1450 push cs; iretd 0_2_0ECE1458
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_0ECE1545 push cs; retf 0_2_0ECE1548
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 15_2_00335D8A push edx; ret 15_2_00335D8B
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_007E5D8A push edx; ret 16_2_007E5D8B
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_0E720F0F push es; ret 16_2_0E720F11
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 16_2_0E721547 push cs; retf 16_2_0E721548
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeCode function: 20_2_007B5D8A push edx; ret 20_2_007B5D8B
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.07467868209
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.07467868209
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.07467868209
                      Source: C:\Users\user\Desktop\SOA pdf.exeFile created: C:\Users\user\AppData\Roaming\HNfyrYavn.exeJump to dropped file
                      Source: C:\Users\user\Desktop\SOA pdf.exeFile created: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HNfyrYavn' /XML 'C:\Users\user\AppData\Local\Temp\tmpFDEE.tmp'
                      Source: C:\Users\user\Desktop\SOA pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run uwmDRDgJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run uwmDRDgJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\SOA pdf.exeFile opened: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0000000F.00000002.898550212.00000000027F6000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.732837793.0000000002982000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.908748383.0000000002C37000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: uwmDRDg.exe PID: 2740, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SOA pdf.exe PID: 6976, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: uwmDRDg.exe PID: 4752, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\SOA pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\SOA pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to delay execution (extensive OutputDebugStringW loop)Show sources
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeSection loaded: OutputDebugStringW count: 151
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: SOA pdf.exe, 00000000.00000002.732837793.0000000002982000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.898550212.00000000027F6000.00000004.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.908748383.0000000002C37000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: SOA pdf.exe, 00000000.00000002.732837793.0000000002982000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.898550212.00000000027F6000.00000004.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.908748383.0000000002C37000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeCode function: 0_2_004D808D sldt word ptr [eax]0_2_004D808D
                      Source: C:\Users\user\Desktop\SOA pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeWindow / User API: threadDelayed 1170Jump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeWindow / User API: threadDelayed 8681Jump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exe TID: 7036Thread sleep time: -65000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exe TID: 7028Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exe TID: 5484Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exe TID: 5560Thread sleep count: 1170 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exe TID: 5560Thread sleep count: 8681 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe TID: 3040Thread sleep time: -61000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe TID: 6248Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe TID: 7084Thread sleep count: 63 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe TID: 7084Thread sleep time: -63000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\SOA pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: uwmDRDg.exe, 00000010.00000002.908748383.0000000002C37000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: uwmDRDg.exe, 00000010.00000002.908748383.0000000002C37000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: uwmDRDg.exe, 00000010.00000002.908748383.0000000002C37000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: uwmDRDg.exe, 00000010.00000002.908748383.0000000002C37000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: uwmDRDg.exe, 00000010.00000002.908748383.0000000002C37000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: uwmDRDg.exe, 00000010.00000002.908748383.0000000002C37000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: uwmDRDg.exe, 00000010.00000002.908748383.0000000002C37000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: uwmDRDg.exe, 00000010.00000002.908748383.0000000002C37000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: uwmDRDg.exe, 00000010.00000002.908748383.0000000002C37000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeSystem information queried: KernelDebuggerInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\SOA pdf.exeMemory written: C:\Users\user\Desktop\SOA pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeMemory written: unknown base: 400000 value starts with: 4D5AJump to behavior
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\SOA pdf.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HNfyrYavn' /XML 'C:\Users\user\AppData\Local\Temp\tmpFDEE.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeProcess created: C:\Users\user\Desktop\SOA pdf.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HNfyrYavn' /XML 'C:\Users\user\AppData\Local\Temp\tmp2FD7.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess created: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeProcess created: unknown unknownJump to behavior
                      Source: uwmDRDg.exe, 00000010.00000002.908439159.00000000015A0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000014.00000002.908091972.0000000001780000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: uwmDRDg.exe, 00000010.00000002.908439159.00000000015A0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000014.00000002.908091972.0000000001780000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: uwmDRDg.exe, 00000010.00000002.908439159.00000000015A0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000014.00000002.908091972.0000000001780000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: uwmDRDg.exe, 00000010.00000002.908439159.00000000015A0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000014.00000002.908091972.0000000001780000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Users\user\Desktop\SOA pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Users\user\Desktop\SOA pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeQueries volume information: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeQueries volume information: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeQueries volume information: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SOA pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\SOA pdf.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000000A.00000000.730746294.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.735817127.0000000003988000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000000.895697326.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.909346446.0000000003C33000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.900614886.00000000037F3000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.906578289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 15.2.uwmDRDg.exe.38c04b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.uwmDRDg.exe.3d00680.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.uwmDRDg.exe.38c04b0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.0.SOA pdf.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.uwmDRDg.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SOA pdf.exe.3a54b60.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.0.uwmDRDg.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SOA pdf.exe.3a54b60.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.uwmDRDg.exe.3d00680.3.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000000A.00000000.730746294.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.735817127.0000000003988000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000000.895697326.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.909346446.0000000003C33000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.900614886.00000000037F3000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.906578289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: uwmDRDg.exe PID: 6740, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: uwmDRDg.exe PID: 2740, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SOA pdf.exe PID: 7040, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SOA pdf.exe PID: 6976, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: uwmDRDg.exe PID: 4752, type: MEMORY
                      Source: Yara matchFile source: 15.2.uwmDRDg.exe.38c04b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.uwmDRDg.exe.3d00680.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.uwmDRDg.exe.38c04b0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.0.SOA pdf.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.uwmDRDg.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SOA pdf.exe.3a54b60.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.0.uwmDRDg.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SOA pdf.exe.3a54b60.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.uwmDRDg.exe.3d00680.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: uwmDRDg.exe PID: 6740, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000000A.00000000.730746294.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.735817127.0000000003988000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000000.895697326.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.909346446.0000000003C33000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.900614886.00000000037F3000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.906578289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 15.2.uwmDRDg.exe.38c04b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.uwmDRDg.exe.3d00680.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.uwmDRDg.exe.38c04b0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.0.SOA pdf.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.uwmDRDg.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SOA pdf.exe.3a54b60.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.0.uwmDRDg.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SOA pdf.exe.3a54b60.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.uwmDRDg.exe.3d00680.3.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000000A.00000000.730746294.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.735817127.0000000003988000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000000.895697326.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.909346446.0000000003C33000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.900614886.00000000037F3000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.906578289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: uwmDRDg.exe PID: 6740, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: uwmDRDg.exe PID: 2740, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SOA pdf.exe PID: 7040, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SOA pdf.exe PID: 6976, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: uwmDRDg.exe PID: 4752, type: MEMORY
                      Source: Yara matchFile source: 15.2.uwmDRDg.exe.38c04b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.uwmDRDg.exe.3d00680.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.uwmDRDg.exe.38c04b0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.0.SOA pdf.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.uwmDRDg.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SOA pdf.exe.3a54b60.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.0.uwmDRDg.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SOA pdf.exe.3a54b60.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.uwmDRDg.exe.3d00680.3.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Masquerading1OS Credential DumpingSecurity Software Discovery331Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1File and Directory Permissions Modification1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion261SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion261NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing22/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 433462 Sample: SOA pdf.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 11 other signatures 2->51 7 SOA pdf.exe 6 2->7         started        11 uwmDRDg.exe 5 2->11         started        13 uwmDRDg.exe 4 2->13         started        process3 file4 29 C:\Users\user\AppData\Roaming\HNfyrYavn.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmpFDEE.tmp, XML 7->31 dropped 33 C:\Users\user\AppData\...\SOA pdf.exe.log, ASCII 7->33 dropped 53 Injects a PE file into a foreign processes 7->53 15 SOA pdf.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        55 Multi AV Scanner detection for dropped file 11->55 57 Detected unpacking (changes PE section rights) 11->57 59 Detected unpacking (overwrites its own PE header) 11->59 61 Tries to delay execution (extensive OutputDebugStringW loop) 11->61 21 schtasks.exe 1 11->21         started        23 uwmDRDg.exe 11->23         started        signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\...\uwmDRDg.exe, PE32 15->35 dropped 37 C:\Windows\System32\drivers\etc\hosts, ASCII 15->37 dropped 39 C:\Users\user\...\uwmDRDg.exe:Zone.Identifier, ASCII 15->39 dropped 41 Modifies the hosts file 15->41 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->43 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SOA pdf.exe55%VirustotalBrowse
                      SOA pdf.exe57%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\HNfyrYavn.exe57%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe57%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.SOA pdf.exe.4d0000.0.unpack100%AviraHEUR/AGEN.1123468Download File
                      15.2.uwmDRDg.exe.330000.0.unpack100%AviraHEUR/AGEN.1123468Download File
                      10.0.SOA pdf.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      20.2.uwmDRDg.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      16.2.uwmDRDg.exe.7e0000.0.unpack100%AviraHEUR/AGEN.1123468Download File
                      20.0.uwmDRDg.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://TIlVCz.com0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1uwmDRDg.exe, 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                            		high
                            http://DynDns.comDynDNSuwmDRDg.exe, 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hauwmDRDg.exe, 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                		high
                                http://www.tiro.comuwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersuwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.htmlSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8SOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fonts.comSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://TIlVCz.comuwmDRDg.exe, 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSOA pdf.exe, 00000000.00000002.732813153.0000000002977000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.898531199.00000000027E7000.00000004.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.908725677.0000000002C27000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sakkal.comSOA pdf.exe, 00000000.00000002.743252858.0000000006D32000.00000004.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.903867904.0000000005AC0000.00000002.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.912445741.0000000005F80000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSOA pdf.exe, 00000000.00000002.735817127.0000000003988000.00000004.00000001.sdmp, SOA pdf.exe, 0000000A.00000000.730746294.0000000000402000.00000040.00000001.sdmp, uwmDRDg.exe, 0000000F.00000002.900614886.00000000037F3000.00000004.00000001.sdmp, uwmDRDg.exe, 00000010.00000002.909346446.0000000003C33000.00000004.00000001.sdmp, uwmDRDg.exe, 00000014.00000000.895697326.0000000000402000.00000040.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown

                                            Contacted IPs

                                            No contacted IP infos

                                            General Information

                                            Joe Sandbox Version:32.0.0 Black Diamond
                                            Analysis ID:433462
                                            Start date:11.06.2021
                                            Start time:22:40:31
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 9m 54s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:SOA pdf.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:21
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.adwa.evad.winEXE@15/9@0/0
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 2.4% (good quality ratio 1.2%)
                                            • Quality average: 37.2%
                                            • Quality standard deviation: 40.1%
                                            HCA Information:
                                            • Successful, ratio: 83%
                                            • Number of executed functions: 172
                                            • Number of non-executed functions: 32
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            22:42:12API Interceptor510x Sleep call for process: SOA pdf.exe modified
                                            22:42:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run uwmDRDg C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe
                                            22:42:33AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run uwmDRDg C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASN

                                            No context

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA pdf.exe.log
                                            Process:C:\Users\user\Desktop\SOA pdf.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.355304211458859
                                            Encrypted:false
                                            SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                            MD5:B666A4404B132B2BF6C04FBF848EB948
                                            SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                            SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                            SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                            Malicious:true
                                            Reputation:moderate, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uwmDRDg.exe.log
                                            Process:C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.355304211458859
                                            Encrypted:false
                                            SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                            MD5:B666A4404B132B2BF6C04FBF848EB948
                                            SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                            SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                            SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                            C:\Users\user\AppData\Local\Temp\tmp2FD7.tmp
                                            Process:C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1642
                                            Entropy (8bit):5.178991871034773
                                            Encrypted:false
                                            SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGEstn:cbhK79lNQR/rydbz9I3YODOLNdq3r6
                                            MD5:31B821B2FEB1B42ADBB8C75842725995
                                            SHA1:4CE0E1D17393434615E932020EC605B1BAB5E826
                                            SHA-256:60DFA4E79EDC17ECEA20B64A4701BBFAEA0AE5C54E02E0614FA8D7D911BA9522
                                            SHA-512:60295A0D2135C8F4D30A37D747769364D03878C9D53D965F03CF0468769D270E3CCA1DFEC236FA7093FE95DFB011D6F85C5AC575E2C83A8260B200284CB97AD1
                                            Malicious:false
                                            Reputation:low
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                            C:\Users\user\AppData\Local\Temp\tmp6F66.tmp
                                            Process:C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1642
                                            Entropy (8bit):5.178991871034773
                                            Encrypted:false
                                            SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGEstn:cbhK79lNQR/rydbz9I3YODOLNdq3r6
                                            MD5:31B821B2FEB1B42ADBB8C75842725995
                                            SHA1:4CE0E1D17393434615E932020EC605B1BAB5E826
                                            SHA-256:60DFA4E79EDC17ECEA20B64A4701BBFAEA0AE5C54E02E0614FA8D7D911BA9522
                                            SHA-512:60295A0D2135C8F4D30A37D747769364D03878C9D53D965F03CF0468769D270E3CCA1DFEC236FA7093FE95DFB011D6F85C5AC575E2C83A8260B200284CB97AD1
                                            Malicious:false
                                            Reputation:low
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                            C:\Users\user\AppData\Local\Temp\tmpFDEE.tmp
                                            Process:C:\Users\user\Desktop\SOA pdf.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1642
                                            Entropy (8bit):5.178991871034773
                                            Encrypted:false
                                            SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGEstn:cbhK79lNQR/rydbz9I3YODOLNdq3r6
                                            MD5:31B821B2FEB1B42ADBB8C75842725995
                                            SHA1:4CE0E1D17393434615E932020EC605B1BAB5E826
                                            SHA-256:60DFA4E79EDC17ECEA20B64A4701BBFAEA0AE5C54E02E0614FA8D7D911BA9522
                                            SHA-512:60295A0D2135C8F4D30A37D747769364D03878C9D53D965F03CF0468769D270E3CCA1DFEC236FA7093FE95DFB011D6F85C5AC575E2C83A8260B200284CB97AD1
                                            Malicious:true
                                            Reputation:low
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                            C:\Users\user\AppData\Roaming\HNfyrYavn.exe
                                            Process:C:\Users\user\Desktop\SOA pdf.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):1143808
                                            Entropy (8bit):7.032108864110578
                                            Encrypted:false
                                            SSDEEP:24576:vIYC0jw6k2HQNJwZaJv3eUyzJ6dH/MpLw:W02NJxJfehAfMpL
                                            MD5:BBC9E35DE9E2839C817AB6776FC6463D
                                            SHA1:BC65F4322261FBF23AA9E58D03E18346A5043BF6
                                            SHA-256:1B424EAC2B05B856247BFD73D7DA0782A0366B48AD797E7F55F1F98B6B0980F9
                                            SHA-512:744085B257FCBEE7573443F0D0FF8E2DD61C4ACE7AE832CE46B2FE90F76933A972FDF8F9A1C969F4C1F5630F00F6DC774283E472478097D0281158FC2E64F91E
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 57%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y.`..............0......X.......8... ...@....@.. ....................................@..................................8..K....@..xU........................................................................... ............... ..H............text........ ...................... ..`.rsrc...xU...@...V..................@..@.reloc...............r..............@..B.................8......H.......@...p.......r...8................................................0..........(....(....*..0..X.......r...p. {].. ..X.a%...^E........k...............{...........0...L...8.....r...p(....(....-. ....%+. ....%&. .v..Za+.r...p(..... @Xd.Z .?..a8|....-. ....%+. ..=.%&. en<.Za8]....(.... )s..8M....r...p(....(....-. 4.zs%+. Y.J*%&. ...1Za8.....(....(....rC..p(....-. .Tc.%+. g...%&. q[..Za8...........s....(....%.(.....(.... :.P.8....(..... .>..8....*.0...............(0...*..0..
                                            C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe
                                            Process:C:\Users\user\Desktop\SOA pdf.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):1143808
                                            Entropy (8bit):7.032108864110578
                                            Encrypted:false
                                            SSDEEP:24576:vIYC0jw6k2HQNJwZaJv3eUyzJ6dH/MpLw:W02NJxJfehAfMpL
                                            MD5:BBC9E35DE9E2839C817AB6776FC6463D
                                            SHA1:BC65F4322261FBF23AA9E58D03E18346A5043BF6
                                            SHA-256:1B424EAC2B05B856247BFD73D7DA0782A0366B48AD797E7F55F1F98B6B0980F9
                                            SHA-512:744085B257FCBEE7573443F0D0FF8E2DD61C4ACE7AE832CE46B2FE90F76933A972FDF8F9A1C969F4C1F5630F00F6DC774283E472478097D0281158FC2E64F91E
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 57%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y.`..............0......X.......8... ...@....@.. ....................................@..................................8..K....@..xU........................................................................... ............... ..H............text........ ...................... ..`.rsrc...xU...@...V..................@..@.reloc...............r..............@..B.................8......H.......@...p.......r...8................................................0..........(....(....*..0..X.......r...p. {].. ..X.a%...^E........k...............{...........0...L...8.....r...p(....(....-. ....%+. ....%&. .v..Za+.r...p(..... @Xd.Z .?..a8|....-. ....%+. ..=.%&. en<.Za8]....(.... )s..8M....r...p(....(....-. 4.zs%+. Y.J*%&. ...1Za8.....(....(....rC..p(....-. .Tc.%+. g...%&. q[..Za8...........s....(....%.(.....(.... :.P.8....(..... .>..8....*.0...............(0...*..0..
                                            C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe:Zone.Identifier
                                            Process:C:\Users\user\Desktop\SOA pdf.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Preview: [ZoneTransfer]....ZoneId=0
                                            C:\Windows\System32\drivers\etc\hosts
                                            Process:C:\Users\user\Desktop\SOA pdf.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):11
                                            Entropy (8bit):2.663532754804255
                                            Encrypted:false
                                            SSDEEP:3:iLE:iLE
                                            MD5:B24D295C1F84ECBFB566103374FB91C5
                                            SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                            SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                            SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                            Malicious:true
                                            Preview: ..127.0.0.1

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.032108864110578
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:SOA pdf.exe
                                            File size:1143808
                                            MD5:bbc9e35de9e2839c817ab6776fc6463d
                                            SHA1:bc65f4322261fbf23aa9e58d03e18346a5043bf6
                                            SHA256:1b424eac2b05b856247bfd73d7da0782a0366b48ad797e7f55f1f98b6b0980f9
                                            SHA512:744085b257fcbee7573443f0d0ff8e2dd61c4ace7ae832ce46b2fe90f76933a972fdf8f9a1c969f4c1f5630f00f6dc774283e472478097d0281158fc2e64f91e
                                            SSDEEP:24576:vIYC0jw6k2HQNJwZaJv3eUyzJ6dH/MpLw:W02NJxJfehAfMpL
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y.`..............0......X.......8... ...@....@.. ....................................@................................

                                            File Icon

                                            Icon Hash:d0c8d0f0f4d4c8c8

                                            Static PE Info

                                            General

                                            Entrypoint:0x4e38fe
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x60C179BE [Thu Jun 10 02:32:30 2021 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xe38b00x4b.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xe40000x35578.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x11a0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xe19040xe1a00False0.664215070983data7.07467868209IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0xe40000x355780x35600False0.438684682377data6.1501162403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x11a0000xc0x200False0.041015625data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_ICON0xe42b00xca77PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                            RT_ICON0xf0d280x10828dBase III DBT, version number 0, next free block index 40
                                            RT_ICON0x1015500x94a8data
                                            RT_ICON0x10a9f80x5488data
                                            RT_ICON0x10fe800x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 255, next used block 2130706432
                                            RT_ICON0x1140a80x25a8data
                                            RT_ICON0x1166500x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                            RT_ICON0x1176f80x988data
                                            RT_ICON0x1180800x468GLS_BINARY_LSB_FIRST
                                            RT_GROUP_ICON0x1184e80x84data
                                            RT_VERSION0x11856c0x2e0data
                                            RT_MANIFEST0x11884c0xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightor
                                            Assembly Version4.9.7.6
                                            InternalNameYkXf.exe
                                            FileVersion2.4.1.2
                                            CompanyNamego
                                            LegalTrademarksun
                                            Commentsit
                                            ProductNamewe
                                            ProductVersion2.4.1.2
                                            FileDescriptionw
                                            OriginalFilenameYkXf.exe

                                            Network Behavior

                                            No network behavior found

                                            Code Manipulations

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: SOA pdf.exe PID: 6976 Parent PID: 5940

                                            General

                                            Start time:22:41:13
                                            Start date:11/06/2021
                                            Path:C:\Users\user\Desktop\SOA pdf.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\SOA pdf.exe'
                                            Imagebase:0x4d0000
                                            File size:1143808 bytes
                                            MD5 hash:BBC9E35DE9E2839C817AB6776FC6463D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.735817127.0000000003988000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.735817127.0000000003988000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.732837793.0000000002982000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: schtasks.exe PID: 7000 Parent PID: 6976

                                            General

                                            Start time:22:41:55
                                            Start date:11/06/2021
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HNfyrYavn' /XML 'C:\Users\user\AppData\Local\Temp\tmpFDEE.tmp'
                                            Imagebase:0xf20000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: conhost.exe PID: 6972 Parent PID: 7000

                                            General

                                            Start time:22:41:56
                                            Start date:11/06/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: SOA pdf.exe PID: 7040 Parent PID: 6976

                                            General

                                            Start time:22:41:57
                                            Start date:11/06/2021
                                            Path:C:\Users\user\Desktop\SOA pdf.exe
                                            Wow64 process (32bit):true
                                            Commandline:{path}
                                            Imagebase:0xd80000
                                            File size:1143808 bytes
                                            MD5 hash:BBC9E35DE9E2839C817AB6776FC6463D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.730746294.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.730746294.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: uwmDRDg.exe PID: 2740 Parent PID: 3424

                                            General

                                            Start time:22:42:33
                                            Start date:11/06/2021
                                            Path:C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe'
                                            Imagebase:0x330000
                                            File size:1143808 bytes
                                            MD5 hash:BBC9E35DE9E2839C817AB6776FC6463D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.898550212.00000000027F6000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.900614886.00000000037F3000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.900614886.00000000037F3000.00000004.00000001.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 57%, ReversingLabs
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: uwmDRDg.exe PID: 4752 Parent PID: 3424

                                            General

                                            Start time:22:42:42
                                            Start date:11/06/2021
                                            Path:C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe'
                                            Imagebase:0x7e0000
                                            File size:1143808 bytes
                                            MD5 hash:BBC9E35DE9E2839C817AB6776FC6463D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.909346446.0000000003C33000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000002.909346446.0000000003C33000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.908748383.0000000002C37000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: schtasks.exe PID: 4484 Parent PID: 2740

                                            General

                                            Start time:22:43:13
                                            Start date:11/06/2021
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HNfyrYavn' /XML 'C:\Users\user\AppData\Local\Temp\tmp2FD7.tmp'
                                            Imagebase:0xf20000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: conhost.exe PID: 7124 Parent PID: 4484

                                            General

                                            Start time:22:43:14
                                            Start date:11/06/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: uwmDRDg.exe PID: 6740 Parent PID: 2740

                                            General

                                            Start time:22:43:15
                                            Start date:11/06/2021
                                            Path:C:\Users\user\AppData\Roaming\uwmDRDg\uwmDRDg.exe
                                            Wow64 process (32bit):true
                                            Commandline:{path}
                                            Imagebase:0x7b0000
                                            File size:1143808 bytes
                                            MD5 hash:BBC9E35DE9E2839C817AB6776FC6463D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.908512619.0000000002D31000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000000.895697326.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000014.00000000.895697326.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.906578289.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000014.00000002.906578289.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Chronological Activities

                                            Disassembly

                                            Code Analysis

                                            Reset < >

                                              Analysis Process: SOA pdf.exe PID: 6976 Parent PID: 5940 SOA pdf.exeCOMMON

                                              Executed Functions

                                              Function 08F00040, Relevance: 8.8, Strings: 5, Instructions: 2596COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: <*l$<*l$D0*l$Xc*l$Xc*l
                                              • API String ID: 0-623227522
                                              • Opcode ID: a663d2b1825db187b9205c7d22918d32ce7ad84bf391fab17d561b6e2b5642bc
                                              • Instruction ID: 78f4945b9635aa07a5ec8d79ce519454ba1a5b4161429f7be4ee745c19253a76
                                              • Opcode Fuzzy Hash: a663d2b1825db187b9205c7d22918d32ce7ad84bf391fab17d561b6e2b5642bc
                                              • Instruction Fuzzy Hash: 2F43FB74E04619CFCB25DF68C888A9DB7B2BF89311F158199E419AB3A1DB30ED81DF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02742DA1, Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: 4zs$4zs
                                              • API String ID: 0-2555019801
                                              • Opcode ID: 11931c997d12369e6d5cdde8b13dce2d5f8a11dd967597e4b0dc00a3464c96df
                                              • Instruction ID: ea75e3d84cf2b2c59b2d42625c60bf51ea0a9417973760baf9da35aa9d91a227
                                              • Opcode Fuzzy Hash: 11931c997d12369e6d5cdde8b13dce2d5f8a11dd967597e4b0dc00a3464c96df
                                              • Instruction Fuzzy Hash: 0B714874D04248DFCF08DFA5E8846AEBBB1FF89301F10852AE916BB25ADB345951CF15
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 027401A4, Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 0274354D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID: InformationProcessQuery
                                              • String ID:
                                              • API String ID: 1778838933-0
                                              • Opcode ID: 04579d7ab7c72b404a276aac20188762b7cf765753d5e7e3047232f0e1f02cdc
                                              • Instruction ID: d2e926e3260bb17976040c508a5af7a013e2dc3d557a50bd1d2479e202a2bd48
                                              • Opcode Fuzzy Hash: 04579d7ab7c72b404a276aac20188762b7cf765753d5e7e3047232f0e1f02cdc
                                              • Instruction Fuzzy Hash: 044175B8D042589FCF10CFAAD984ADEFBB5BB59310F20906AE818B7310D735A905CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02743493, Relevance: 1.6, APIs: 1, Instructions: 102nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 0274354D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID: InformationProcessQuery
                                              • String ID:
                                              • API String ID: 1778838933-0
                                              • Opcode ID: 2dfa90160d19256a1be00b6be2d92bd7fb8c2f006d78423400087f79d8b58230
                                              • Instruction ID: 4d123c1378ec7a8ebd6fb1626f5558bc1bb06fb21c95b5dfb88595289b4b6d25
                                              • Opcode Fuzzy Hash: 2dfa90160d19256a1be00b6be2d92bd7fb8c2f006d78423400087f79d8b58230
                                              • Instruction Fuzzy Hash: D24187B8D042589FCF10CFA9D984ADEFBB1BB59310F10906AE818B7310D735A905CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F03A10, Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: d-*l
                                              • API String ID: 0-2398784416
                                              • Opcode ID: 59300e90e7beece52e316efad1a713d046301de2f534880b37944189fb241653
                                              • Instruction ID: ecc7cb0e48f22093062f55106ab376ee7ee9006e0f1d0c9986340f8e159a3304
                                              • Opcode Fuzzy Hash: 59300e90e7beece52e316efad1a713d046301de2f534880b37944189fb241653
                                              • Instruction Fuzzy Hash: 6DD119B5E04218CFDB18DFB9C884A9EBBB2FF89315F118169D509AB365DB349841CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F03B28, Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: d-*l
                                              • API String ID: 0-2398784416
                                              • Opcode ID: 86177c0de808fbfa3fd21302985623ef73b64c5153e602e0fb3cb62f1eb90e27
                                              • Instruction ID: 5f9f9a6cf4b208c6cdbdb228ae1e7272cef801ecb48349aba7c3c91deb9b2e01
                                              • Opcode Fuzzy Hash: 86177c0de808fbfa3fd21302985623ef73b64c5153e602e0fb3cb62f1eb90e27
                                              • Instruction Fuzzy Hash: C191D875E002188FDB18DFA5D855B9EBBB2FF89310F10C06AE509AB365DB345946CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F070D2, Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: %X0
                                              • API String ID: 0-616848515
                                              • Opcode ID: 998c4692ec36f61d70c7af48fd308748da56ade7b4b2480d1974e6d3f5554be3
                                              • Instruction ID: 1bd4eedbc81648ab8f345260132d556061778c672e510d81869615e8e71f563c
                                              • Opcode Fuzzy Hash: 998c4692ec36f61d70c7af48fd308748da56ade7b4b2480d1974e6d3f5554be3
                                              • Instruction Fuzzy Hash: BA81C374E042188FCB08CFAAC984ADEFBB2EF89311F14952AD515BB394D735A906CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F070D8, Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: %X0
                                              • API String ID: 0-616848515
                                              • Opcode ID: 264eb48f248132820ba5f31a457ef3fc4f99be7ccf5d8d8b3c9a2d9e00bcdb45
                                              • Instruction ID: 9a10fa595632a6989b8aafde38e19166bb3f6a201dfb691545433bfc407fcfeb
                                              • Opcode Fuzzy Hash: 264eb48f248132820ba5f31a457ef3fc4f99be7ccf5d8d8b3c9a2d9e00bcdb45
                                              • Instruction Fuzzy Hash: A781C174E042188FCB08CFAAC984ADEFBB2EF89311F14952AD415BB394D735A945CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0950A, Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: 5j,
                                              • API String ID: 0-2820710924
                                              • Opcode ID: aff27075771140c4a28519d65e540a80e276c21501ff1ce5095b6f2f5507f721
                                              • Instruction ID: cb877a993835a24f687edc73571f27e5a4495bd82f4c4cf3aebe2ac3903a025c
                                              • Opcode Fuzzy Hash: aff27075771140c4a28519d65e540a80e276c21501ff1ce5095b6f2f5507f721
                                              • Instruction Fuzzy Hash: 7F918B74E0524ADFCB04CFAAC4844AEFFB2BF89301B1491A9C505AB256E774D942DF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F09560, Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: 5j,
                                              • API String ID: 0-2820710924
                                              • Opcode ID: 2a8ad138c77b43e0829c624b7a447801e9a1e49de582be2f39dd4e8c5e30656c
                                              • Instruction ID: e6521e648590e036308c23eb1bbacdff7114c792a3c083b5e3fbe2cfb1b92621
                                              • Opcode Fuzzy Hash: 2a8ad138c77b43e0829c624b7a447801e9a1e49de582be2f39dd4e8c5e30656c
                                              • Instruction Fuzzy Hash: 2F713874E0020ADFDB04CFAAC4818AEFBB2FF89301F649159D515AB355E774AA42DF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F07C70, Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: oeScript
                                              • API String ID: 0-529018259
                                              • Opcode ID: 03090bbf4d1b3c0fba1cb2f7ceef3655a5fd54523bea4796d57411f6b56972d6
                                              • Instruction ID: 8ba62a2b6050537f1ad87e0d4affec16514703dd06c151195d62cdb2985c899f
                                              • Opcode Fuzzy Hash: 03090bbf4d1b3c0fba1cb2f7ceef3655a5fd54523bea4796d57411f6b56972d6
                                              • Instruction Fuzzy Hash: 60516C71E042098FDB08DFAAD8406AEFBF2FF89211F14D06AD415E7250E7355A019F95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0967B, Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: 5j,
                                              • API String ID: 0-2820710924
                                              • Opcode ID: 5871593256c3a5227e91d581d0a984fd760185601e1c335bd66a2f05e0915106
                                              • Instruction ID: 877e2027d957c793251980d2cc83801fb6a7e00a6833ae6bc7c30fad3b4fdc8b
                                              • Opcode Fuzzy Hash: 5871593256c3a5227e91d581d0a984fd760185601e1c335bd66a2f05e0915106
                                              • Instruction Fuzzy Hash: 1C612774E0420ADFCB04CFAAC5818AEFBB2FF89301B649155C515AB355E374EA82DF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F07C80, Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: oeScript
                                              • API String ID: 0-529018259
                                              • Opcode ID: f94949ca03afc088edfb49aba4a7ebeeb2f740434b068146df138570b1dfae5d
                                              • Instruction ID: fb88f2b6128c14d04391abbdf86b868380c86ce1efc1f64cfea57d3efc229d8b
                                              • Opcode Fuzzy Hash: f94949ca03afc088edfb49aba4a7ebeeb2f740434b068146df138570b1dfae5d
                                              • Instruction Fuzzy Hash: 3C513671E052098FDB08DFAAD5446AEFBF2FF88211F14D0AAD419B7250E734AA01DF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02747C19, Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: '
                                              • API String ID: 0-668217069
                                              • Opcode ID: a2594f66daa3845fc467ea4e28f55a336c7a82ae3a469f09ad7e2ed9c2bf25c6
                                              • Instruction ID: d2b182dc8922f68b87109bd029a2c1ccc19e3aaaec945c58fdbca54b31d10239
                                              • Opcode Fuzzy Hash: a2594f66daa3845fc467ea4e28f55a336c7a82ae3a469f09ad7e2ed9c2bf25c6
                                              • Instruction Fuzzy Hash: 23317F70E06208EBDB48DFA4C54966EFBF6EB89344F20D5AAC006E7264DB348B00DB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0DBA0, Relevance: .3, Instructions: 258COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 47eedfc310ba00fc9861f4873ca71daffa4169b68cabcf22c3b42f5b12eb20f4
                                              • Instruction ID: 0ec9bc10f0222003ca51b5112f503580d8a9ba1181103ffe1abb4f7e2daa844b
                                              • Opcode Fuzzy Hash: 47eedfc310ba00fc9861f4873ca71daffa4169b68cabcf22c3b42f5b12eb20f4
                                              • Instruction Fuzzy Hash: 20B115B0E05259CFCB08DFE9C98059EFBF2AF88341F14D22AD409AB354D73499429F65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0DB90, Relevance: .3, Instructions: 255COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 272fc43831e1d718199e436b4b222ba2f2b4b0bfdad3e0e4ffc8e2f7f64b8d0b
                                              • Instruction ID: f10dc3722f301346ec026a95523aac61ad203b5b5a10318f8c9fc1000ecfa428
                                              • Opcode Fuzzy Hash: 272fc43831e1d718199e436b4b222ba2f2b4b0bfdad3e0e4ffc8e2f7f64b8d0b
                                              • Instruction Fuzzy Hash: 01B113B4E05259CFCB08DFE9C98059EFBB2AF88341F14D22AC409AB294D73499429F65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE0006, Relevance: .2, Instructions: 155COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e02356d3020242d00103145bd450a7167a44ab27bf4642535f30b4a83abd8b8
                                              • Instruction ID: 59f96a039907512fd95d3691f4a91fe1d4765464a68153cff59e47806d86d90b
                                              • Opcode Fuzzy Hash: 6e02356d3020242d00103145bd450a7167a44ab27bf4642535f30b4a83abd8b8
                                              • Instruction Fuzzy Hash: 19516970D0575A8BCB69CF66CC447E9BBB2BFC9300F0482EAD418A6A15EB705E859F50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE0040, Relevance: .2, Instructions: 154COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 84f293dfd790aac0e302fcfae3f50b8a5c8ed243e5472f67a3f9fa51ce5b572d
                                              • Instruction ID: 8a28413b8dec03cd83f64adef3d0ae33b6fcf51adc48b6dec81d8571030fb3b4
                                              • Opcode Fuzzy Hash: 84f293dfd790aac0e302fcfae3f50b8a5c8ed243e5472f67a3f9fa51ce5b572d
                                              • Instruction Fuzzy Hash: D3614971E0562A8BCB68CF66C8407A9F7B2FBC8300F0485BAC41DA7B14EB715E959F40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F06040, Relevance: .2, Instructions: 152COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 691610b382c952c9a494cb99cae786f72045ed4b036d507231fbbca268eb041e
                                              • Instruction ID: 6e090ac212c1d195853f6790629cef8edf4fa6c9b65dfc8f3a923d68c12d79ac
                                              • Opcode Fuzzy Hash: 691610b382c952c9a494cb99cae786f72045ed4b036d507231fbbca268eb041e
                                              • Instruction Fuzzy Hash: AF51D5B5E05219DFDB04DFAAC980AAEFBB2BF88301F14C16AD514AB255D7349942CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F031C0, Relevance: .2, Instructions: 152COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b36b3bfdefb151f2c88c0e0dc1148a62c42cb4e2a4df3bdb2851403bb704799a
                                              • Instruction ID: 8db4d6bc9541638ecbb09f235dba31b62390ebf803e7c460cd282b921659a4ff
                                              • Opcode Fuzzy Hash: b36b3bfdefb151f2c88c0e0dc1148a62c42cb4e2a4df3bdb2851403bb704799a
                                              • Instruction Fuzzy Hash: 5D51E475E0424C9FDB08DFE9D944AAEBBF2FF89300F14802AD509AB364DB355A028F51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F031D0, Relevance: .1, Instructions: 145COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c58e017b15927368451afa04fdff7e655ecb2588a857840eba3e1f57839a8063
                                              • Instruction ID: b1303f1e9d4067bc59e2b6721e85f1c7d9feaf20af8db72e46730fab6c2e9cfb
                                              • Opcode Fuzzy Hash: c58e017b15927368451afa04fdff7e655ecb2588a857840eba3e1f57839a8063
                                              • Instruction Fuzzy Hash: 1851C475E0021C9FDB08DFE9D944AAEBBF2FF88300F148129D509AB364DB3559128F55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0418C, Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8a06de244040570ba55f9afe55f948a7310706c9f113746c474d70758d5cbf4
                                              • Instruction ID: 9427fc63bb4e3fbd141b7ab13e7a2692aee38f6689be0682b846643294577af6
                                              • Opcode Fuzzy Hash: e8a06de244040570ba55f9afe55f948a7310706c9f113746c474d70758d5cbf4
                                              • Instruction Fuzzy Hash: 3841BAB4D002489FDB10CFA9D584BDEBBF0BB49318F20912AE515BB690C7749949CFA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE0264, Relevance: .1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8db4c2dcb8c54665f70bf1b9d91ef26826cce79e8c5390e877a0560bf72981e9
                                              • Instruction ID: da119fb5ab8a0a8425ff96d00118f407806e0cb7bdd28e5d2f27e7da508d81ee
                                              • Opcode Fuzzy Hash: 8db4c2dcb8c54665f70bf1b9d91ef26826cce79e8c5390e877a0560bf72981e9
                                              • Instruction Fuzzy Hash: 5F412A74D4162A8BCB64CF65C844BA9FBB2FF98300F1496EAD419A7B10E7719EC19F40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE02A3, Relevance: .1, Instructions: 98COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eddbaf3bcd2014f7de6a15bcb0934dd286b4297279a1b0cc531dc4a7f0c5fe52
                                              • Instruction ID: 1fb487c6993c3798ade6e794f1694a74ca668f857085222451c6ef88e0096d2a
                                              • Opcode Fuzzy Hash: eddbaf3bcd2014f7de6a15bcb0934dd286b4297279a1b0cc531dc4a7f0c5fe52
                                              • Instruction Fuzzy Hash: D1412A74D0161A8BCB64CF65C940BA9F7B2FF99300F1496EAD419A7710E7719EC19F40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE02E5, Relevance: .1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ccf1d3e77cc142f48c4f975798133d04d73bb13c900c7d0b4db59fca90fa8c1d
                                              • Instruction ID: bd52f5b244e75ae03286d5fae0434022bbb57a3f8ff678e9052ef513e5ce01d7
                                              • Opcode Fuzzy Hash: ccf1d3e77cc142f48c4f975798133d04d73bb13c900c7d0b4db59fca90fa8c1d
                                              • Instruction Fuzzy Hash: 7D412A70D0162A8BCB64CF65C940BA9F7B2FF98300F1496EAD419A7B00E7719EC59F40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE0248, Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df220cb57a364c90ee414456d297fb1a4fcf20ccf8bf263e4426718ed91701e1
                                              • Instruction ID: a1576ddfa4fcbe7aac21e1c12d518470e0a114955c6fb34c1b67ec1dea01b9ad
                                              • Opcode Fuzzy Hash: df220cb57a364c90ee414456d297fb1a4fcf20ccf8bf263e4426718ed91701e1
                                              • Instruction Fuzzy Hash: 86413770D0161B8BCB68CF65C940BA9BBB2FF98300F1496EAC019A7B00E7719EC49F40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F04198, Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 578e8a5109890bb95e5e450af6a12bd96b1190d8a97b5bb0d26f74895fdbd9b5
                                              • Instruction ID: a4acbc42b44acbabb411314b8f4589deb2461296b1ddea3876714b034ec66b06
                                              • Opcode Fuzzy Hash: 578e8a5109890bb95e5e450af6a12bd96b1190d8a97b5bb0d26f74895fdbd9b5
                                              • Instruction Fuzzy Hash: 2E41AAB4D012089FDB10CFA9C584BDEFBF0BB49308F20912AE515BB290C775A949CF69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE02D6, Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 66c51eeece118855a4cfa71520daf1f61197cd4677f922c95ac59db0d631d8d2
                                              • Instruction ID: 3947d114ab3ae83a3fd301f708448c155d4560cc5e975e3f3840572f1d3a1538
                                              • Opcode Fuzzy Hash: 66c51eeece118855a4cfa71520daf1f61197cd4677f922c95ac59db0d631d8d2
                                              • Instruction Fuzzy Hash: 21412A70D0161B8BCB68CF65C941BA9F7B2FF98300F1496EAD419A6B10E7719EC59F40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F06518, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0148dce8b4b7c60ff9c23b5da854a1ec60c2d30059c41745ba9904beb1a2abc8
                                              • Instruction ID: dd79a709259dfb693357a620c3f2b8fae5f4233070c37b965f09d7e84b6bb852
                                              • Opcode Fuzzy Hash: 0148dce8b4b7c60ff9c23b5da854a1ec60c2d30059c41745ba9904beb1a2abc8
                                              • Instruction Fuzzy Hash: 1521DB71E04618DFEB18DFABD84069EFBF3AFC9200F14C0BAC508A6254EB3419458F51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F06509, Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e9b3bb654ac359dcee371b4158b8b99a68b1a926bdf4529fd64591b60e1c667
                                              • Instruction ID: eba0b880cf28f7cb9ab8eada06f277a2faad39f7ae72eb3e30d98b55c64898b2
                                              • Opcode Fuzzy Hash: 0e9b3bb654ac359dcee371b4158b8b99a68b1a926bdf4529fd64591b60e1c667
                                              • Instruction Fuzzy Hash: 8921DD71E056589FEB18CF6BD85069EFBF3AFC9300F14C0BAC508A6254EB3419458F61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F086D0, Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4e46975c4ca963bf36fdafbbca4476723b802d3c611dba017d6f0ea5d0d524f0
                                              • Instruction ID: b73d493490b5681df22d0d9a0f5e0eebc18d6d8a3bc007ea2d33308ded4775bd
                                              • Opcode Fuzzy Hash: 4e46975c4ca963bf36fdafbbca4476723b802d3c611dba017d6f0ea5d0d524f0
                                              • Instruction Fuzzy Hash: 2E21D6B1E006188BEB18CFABD8443DEFBB6AFC8311F14C16AD508AA258DB7519558F50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0461D, Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8c7a0fb360bdcfbc0c662e8dbff048a52d2f3e1ba177749f35af9a77a4b73480
                                              • Instruction ID: f03cc596999e69d626dc994e1760eedbb6ce2c7b118eedbdc0fd431451360281
                                              • Opcode Fuzzy Hash: 8c7a0fb360bdcfbc0c662e8dbff048a52d2f3e1ba177749f35af9a77a4b73480
                                              • Instruction Fuzzy Hash: 3421C2B5D00208DFCB14CFAAD444AEEFBB1BB89325F10D12AE914B7290E7349940CF98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F086C0, Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 82a60ca3a4bb60f7e466517fa95c68b77fabb9b21a1772916eac3e4a14a63744
                                              • Instruction ID: 9faef68d44348e0d87337bdba22c1b907442790739ebf9cb5ee765749e9010d6
                                              • Opcode Fuzzy Hash: 82a60ca3a4bb60f7e466517fa95c68b77fabb9b21a1772916eac3e4a14a63744
                                              • Instruction Fuzzy Hash: 1821D671E046588BEB18CFABDC547DEBFB2AFC9311F14C16AD408AA258DB740949CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F04628, Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 958cf147a731d40c4ddfefd4f068bd035cacf0fb3a432e0e625095c0f56c8919
                                              • Instruction ID: e56260eb315c5c207edda7cdb673b58e5d02377c6e4070e3cc9834a2a351147b
                                              • Opcode Fuzzy Hash: 958cf147a731d40c4ddfefd4f068bd035cacf0fb3a432e0e625095c0f56c8919
                                              • Instruction Fuzzy Hash: F221AEB4D002089FCB04CFAAC444AEEFBF1AB49315F10E129E924B72A0E7348940CF98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F07FC0, Relevance: 2.6, Strings: 2, Instructions: 74COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: Wta$uYbm
                                              • API String ID: 0-2454655967
                                              • Opcode ID: f12af6a0a72ff886481c3b7e9fe4af4ba8d1a893927545c92ab87ced54d10436
                                              • Instruction ID: 3a433f722f5967ad982fb2e8207099cd99e771fb493114b7e7babfbe619e41d2
                                              • Opcode Fuzzy Hash: f12af6a0a72ff886481c3b7e9fe4af4ba8d1a893927545c92ab87ced54d10436
                                              • Instruction Fuzzy Hash: A13107B0E04249DFCB48CFA9D98059EBBF1FF89301F25C5AAC518AB355D734AA418F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F07FD0, Relevance: 2.6, Strings: 2, Instructions: 70COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: Wta$uYbm
                                              • API String ID: 0-2454655967
                                              • Opcode ID: 1b2f21ed16f957c6eefeabff91f1ce659a912420d0fe4cf973c05bde47b9d291
                                              • Instruction ID: a18c7a2da189151061e905793286ccbe06016456847947e82593110d1f40c5d7
                                              • Opcode Fuzzy Hash: 1b2f21ed16f957c6eefeabff91f1ce659a912420d0fe4cf973c05bde47b9d291
                                              • Instruction Fuzzy Hash: A521D6B0E14209DFCB48CFA9C98199EBBF2EF88341F21C5A9C518A7354D7349A419F95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE1C64, Relevance: 1.7, APIs: 1, Instructions: 229processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0ECE1E4C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 9d514f9babe9a85081e2aff0e2cff9d5224d85124ddb32058254cd9b20fcce46
                                              • Instruction ID: 213b140c6d4ef1f4bfbffd97d05d435ba64dd24f7f68fbf5916cf5cbf384d6d3
                                              • Opcode Fuzzy Hash: 9d514f9babe9a85081e2aff0e2cff9d5224d85124ddb32058254cd9b20fcce46
                                              • Instruction Fuzzy Hash: F391F0B1D0426DDFDB25CFA5C884BDEBBB1BB49304F0490AAE548B7210DB309A85CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE1C70, Relevance: 1.7, APIs: 1, Instructions: 222processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0ECE1E4C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 637ce24abc7679a7899d8da52107550c551f8deeff10f83155c27f93145d6b16
                                              • Instruction ID: a56a185fc4ac7a0148fd41d8d15ce33b06e91e0c53c61fe60038311fde654ba2
                                              • Opcode Fuzzy Hash: 637ce24abc7679a7899d8da52107550c551f8deeff10f83155c27f93145d6b16
                                              • Instruction Fuzzy Hash: C881EFB1D0026DDFDB25CFA5C884BDEBBB1BB49304F0491AAE548B7220DB309A85CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 027480FC, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 02749681
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 14b29dae330b7a76f532f02971b97f45e5ea4918d40933e2f11f73d61a9c5d24
                                              • Instruction ID: 89180d6839b6d500d6add2301ab56c223a255e79114a6e0784c6473523addf06
                                              • Opcode Fuzzy Hash: 14b29dae330b7a76f532f02971b97f45e5ea4918d40933e2f11f73d61a9c5d24
                                              • Instruction Fuzzy Hash: 5A51F371D0422CCFDB21CFA4C884BCEBBB5AF49304F5184AAD509BB251DB756A89CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE2408, Relevance: 1.6, APIs: 1, Instructions: 114injectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0ECE24E6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 27a6fa69dccdb3835a77931e12084096cccc27451b86a73e10585dae00a1520c
                                              • Instruction ID: efc477c60413cc11d1f72689ef338b9d3bc4c722de9027b16a012e888b5656b4
                                              • Opcode Fuzzy Hash: 27a6fa69dccdb3835a77931e12084096cccc27451b86a73e10585dae00a1520c
                                              • Instruction Fuzzy Hash: 7E4187B5D012589FCB14CFA9D984ADEFBF1BB49310F24902AE918BB310D375AA45CB64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE2410, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0ECE24E6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: e953252df71a5307e025e080a4abc4ce280bc004d2599618242c1644d1aceacd
                                              • Instruction ID: ff9b96d01f0bce6c6d86ac88b8e341857fd76695a18d5e0197f5f7e416da3174
                                              • Opcode Fuzzy Hash: e953252df71a5307e025e080a4abc4ce280bc004d2599618242c1644d1aceacd
                                              • Instruction Fuzzy Hash: 314186B5D01258DFCB14CFAAD984ADEFBF5BB49310F24902AE818B7310D335AA45CB64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE21D9, Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0ECE2295
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 6b3af352235893218ef4b6e6bc41ee8ee4292ce44c5846dcc6c8175cbf009615
                                              • Instruction ID: 2e32829ef0c0a9d14da5899a7c5a0f479a565ad566f30152ed9391584f054700
                                              • Opcode Fuzzy Hash: 6b3af352235893218ef4b6e6bc41ee8ee4292ce44c5846dcc6c8175cbf009615
                                              • Instruction Fuzzy Hash: 8B4187B9D042589FCF10CFAAE984ADEFBB5BB49320F14902AE814B7310D335A945CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE22F8, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0ECE23AD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: d71be76f58195e703d9b3a33ab739adff5ead0c1d951320d996328b1903910c2
                                              • Instruction ID: 026a3225f7c254d2cba2dad24850f65f369c9c8d6cdd3f57fccfaf834df02dc8
                                              • Opcode Fuzzy Hash: d71be76f58195e703d9b3a33ab739adff5ead0c1d951320d996328b1903910c2
                                              • Instruction Fuzzy Hash: 013185B9D042589FCF10CFAAE884ADEFBB5BB49310F10A02AE914B7310D735A945CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE21E0, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0ECE2295
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: f137dedb4fadc02cf473635a8b43d6c9061deb857f412e037b5cafeee4078b9c
                                              • Instruction ID: 208a4e11804e40e2d6710039de6c1d107697cff47eaa43646ddd07447035e3a0
                                              • Opcode Fuzzy Hash: f137dedb4fadc02cf473635a8b43d6c9061deb857f412e037b5cafeee4078b9c
                                              • Instruction Fuzzy Hash: DC4196B9D042589FCF10CFAAD984ADEFBB5BB49310F10A02AE814B7310D335AA45CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE2300, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0ECE23AD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 89476402fabca01f5fd3515f49370447647c9e1968d4346ab7149415e5adc559
                                              • Instruction ID: bb5d67c5f91f737461f9529da6463d83bc7121f0b056e2270bba11da72deec7c
                                              • Opcode Fuzzy Hash: 89476402fabca01f5fd3515f49370447647c9e1968d4346ab7149415e5adc559
                                              • Instruction Fuzzy Hash: 5A3164B8D042589FCF14CFAAD984A9EFBB5BB59310F10A02AE814B7310D335A945CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0274CD60, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(?,?,?), ref: 0274DFA2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 0a87188905ea52f1fb8e3bf1a036a75b641c3d36143825b3ba57c29d9a416992
                                              • Instruction ID: 15a4ec68947afca397e70f9c291660c6bbc22e5474bd455cd2f3c87400f278fa
                                              • Opcode Fuzzy Hash: 0a87188905ea52f1fb8e3bf1a036a75b641c3d36143825b3ba57c29d9a416992
                                              • Instruction Fuzzy Hash: 9F4196B8D042589FCF20CFA9D484A9EFBF0BB49314F14906AE828B7310D774A946CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE20C1, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetThreadContext.KERNELBASE(?,?), ref: 0ECE217A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: ContextThread
                                              • String ID:
                                              • API String ID: 1591575202-0
                                              • Opcode ID: b02fef91ce22753e03ad0ce61ac5a2e328a54359b0bce6eb18422affa4d49a8d
                                              • Instruction ID: 4c19a35c8f34dc7a634508a39e5ee2c842bdc4b0c007a7bd1f2637678edb25e3
                                              • Opcode Fuzzy Hash: b02fef91ce22753e03ad0ce61ac5a2e328a54359b0bce6eb18422affa4d49a8d
                                              • Instruction Fuzzy Hash: DE31BCB5D012589FCB14CFAAD884ADEFBF4BB49314F14802AE518B7310D774AA45CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02742C53, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02742CFF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 9b9551ba87c1b4839c5104c77a24fea94ef5a082a3442c20d9e9fee576ce146a
                                              • Instruction ID: 988b98f6e3def79c27c739000cd18e449e562cf44219f0f932034e5125d7cacb
                                              • Opcode Fuzzy Hash: 9b9551ba87c1b4839c5104c77a24fea94ef5a082a3442c20d9e9fee576ce146a
                                              • Instruction Fuzzy Hash: A531A7B9D042589FCF10CFAAD484AEEFBB0BB09310F14906AE814B7320D734A945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02742C58, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02742CFF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 2ddb13bb59107eae6ebe2d8f5f893a034c1818f20234982cd5639769e99d97e9
                                              • Instruction ID: 65cee2154fea61be24c8d006978f1f2ef3f98d969e351ff560d52e3cb0c0270d
                                              • Opcode Fuzzy Hash: 2ddb13bb59107eae6ebe2d8f5f893a034c1818f20234982cd5639769e99d97e9
                                              • Instruction Fuzzy Hash: 5F3198B9D042589FCF10CFAAD484ADEFBB0BB59314F14902AE814B7310D774A945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE20C8, Relevance: 1.6, APIs: 1, Instructions: 90threadinjectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetThreadContext.KERNELBASE(?,?), ref: 0ECE217A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: ContextThread
                                              • String ID:
                                              • API String ID: 1591575202-0
                                              • Opcode ID: 4ab0902aa1f1d124d2d5824c95f83ef8a6905aecb1c15fe3255df9da0509ddb3
                                              • Instruction ID: 6d8442f88a72c5c58913b5d780597cee863005924b4304535ec7f0c1cd122b2f
                                              • Opcode Fuzzy Hash: 4ab0902aa1f1d124d2d5824c95f83ef8a6905aecb1c15fe3255df9da0509ddb3
                                              • Instruction Fuzzy Hash: FE31AAB4D012589FCB14CFAAD884ADEFBF4BB49314F14802AE418B7310D778AA45CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE29E0, Relevance: 1.6, APIs: 1, Instructions: 89windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 0ECE2A83
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: b02bfad6a682393c2d5f7d9e85146b9b2260e9f6c584c4f7037b2c0d398b5aff
                                              • Instruction ID: 68b63f120dd2bd897380b93e57db50b0379c15b514c80b34aacd3b3cff03deb8
                                              • Opcode Fuzzy Hash: b02bfad6a682393c2d5f7d9e85146b9b2260e9f6c584c4f7037b2c0d398b5aff
                                              • Instruction Fuzzy Hash: 983176B9D01258AFCB14CFA9E484ADEFBF5AB49310F14902AE814B7310D375A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02740199, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                              Download Yara Rule
                                              APIs
                                              • OutputDebugStringW.KERNELBASE(?), ref: 02743FEA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID: DebugOutputString
                                              • String ID:
                                              • API String ID: 1166629820-0
                                              • Opcode ID: e9d99a3773fa4854ed14d98d23145d66fa7eb7379456ba7f75ee459773782daf
                                              • Instruction ID: 506f51bf9acae67bb0334ebcf52e0a44af3afacd23d9aafce21a5551409adb2d
                                              • Opcode Fuzzy Hash: e9d99a3773fa4854ed14d98d23145d66fa7eb7379456ba7f75ee459773782daf
                                              • Instruction Fuzzy Hash: CB31DCB4D042589FCB14CFA9D884ADEFBF0AF49314F1480AAE818B7321D734A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE29E8, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 0ECE2A83
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: bb66a73b7a184b6aeadb17927e00672d609eaf7de3fa41b6b469e3459b6e994f
                                              • Instruction ID: 6ec0bf4c9c9c49d47921bdd710838bfa7daa1d6a1f259a2c18d98a5474d2c586
                                              • Opcode Fuzzy Hash: bb66a73b7a184b6aeadb17927e00672d609eaf7de3fa41b6b469e3459b6e994f
                                              • Instruction Fuzzy Hash: 9C3185B8D01258AFCB14CFA9E484ADEFBF4BB49310F14902AE818B7310D335A945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 027401EC, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                              Download Yara Rule
                                              APIs
                                              • OutputDebugStringW.KERNELBASE(?), ref: 02743FEA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID: DebugOutputString
                                              • String ID:
                                              • API String ID: 1166629820-0
                                              • Opcode ID: e467c66d45a566faf8bd6474d613e5e82d33ac2ad8d9ea814ac4b22c5ab8a40d
                                              • Instruction ID: f0536a7955be9e13a21a4150520617b45505921ac719dec30257bc926e49d9a3
                                              • Opcode Fuzzy Hash: e467c66d45a566faf8bd6474d613e5e82d33ac2ad8d9ea814ac4b22c5ab8a40d
                                              • Instruction Fuzzy Hash: 7031B9B4D042189FCF14CFAAD484ADEFBF5AB49314F14806AE818B7320D774A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02743F48, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                              Download Yara Rule
                                              APIs
                                              • OutputDebugStringW.KERNELBASE(?), ref: 02743FEA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID: DebugOutputString
                                              • String ID:
                                              • API String ID: 1166629820-0
                                              • Opcode ID: 9de53980e35516bfdd492eb116aa4d99a83adad522542d7e69205152cd9b6df2
                                              • Instruction ID: 66f285cd6ff512e2ed98f75c5b26ea52a87ca4ef0c292399440b4ea3f4c4aa40
                                              • Opcode Fuzzy Hash: 9de53980e35516bfdd492eb116aa4d99a83adad522542d7e69205152cd9b6df2
                                              • Instruction Fuzzy Hash: 3531B8B4D002198FCB14CFA9E584ADEFBF1AB48314F14906AE818B7320DB74A945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0274DBE8, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(?), ref: 0274DC7A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 3f7a7e2e4c347db80e4a3f2193eff74eac392b736cd97b45a10243c3868135ca
                                              • Instruction ID: 2ca5623e98ee42583e9845be4fd99658ecab837fbfb70d6c1384e578948fe7b1
                                              • Opcode Fuzzy Hash: 3f7a7e2e4c347db80e4a3f2193eff74eac392b736cd97b45a10243c3868135ca
                                              • Instruction Fuzzy Hash: 3131CAB4D012099FCB24CFA9D484ADEFBF5AB49314F14806AE818B7320D774A941CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 027401F8, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 027440C6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: 2a1c3e5e0fa3da7ca953ca4258766017370a23395b0e39ce0a9356d178d105e4
                                              • Instruction ID: 1c1915e5777565f75143c56fe3b4136d474cec9704769f8e02220e8751f1a436
                                              • Opcode Fuzzy Hash: 2a1c3e5e0fa3da7ca953ca4258766017370a23395b0e39ce0a9356d178d105e4
                                              • Instruction Fuzzy Hash: FF31AAB5D042189FCB20CFA9D484AEEFBF4AB49324F14906AE814B7310D779A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE2631, Relevance: 1.6, APIs: 1, Instructions: 72threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ResumeThread.KERNELBASE(?), ref: 0ECE26B6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 7826b2b28331280c9e6f5ee8eb7c95836f1b8bcbb95d5c3e0977016645bd935e
                                              • Instruction ID: fc4858e79b40c3a786dc2199dff2150effca65562a1661814d3c8aaa23f4e886
                                              • Opcode Fuzzy Hash: 7826b2b28331280c9e6f5ee8eb7c95836f1b8bcbb95d5c3e0977016645bd935e
                                              • Instruction Fuzzy Hash: A931AAB8D042189FCB14CFA9E484ADEFBF4BB49324F14906AE814B7310D775A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02744041, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 027440C6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: 753aa741595d6f670be29bd6326f8d0f2807ae02b5ef32bd8e70bc89dc10f1fe
                                              • Instruction ID: bd917bc86166ac2db3472696b74c6b835f8f8b766e69b508d297319b21b3f7e7
                                              • Opcode Fuzzy Hash: 753aa741595d6f670be29bd6326f8d0f2807ae02b5ef32bd8e70bc89dc10f1fe
                                              • Instruction Fuzzy Hash: 8C31B9B8D00218DFCB14CFA9E484AEEFBF1AB49324F14906AE814B3350D739A945CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE2638, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ResumeThread.KERNELBASE(?), ref: 0ECE26B6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 70b398f94153f71ca435d3fb18aef7bac62617fa373b4758b934b33e0869d0c0
                                              • Instruction ID: 8ad36cc3e8640bf4f72a6bafcc3bfa31a580d6d0bed773e4f1f5aad1db45afff
                                              • Opcode Fuzzy Hash: 70b398f94153f71ca435d3fb18aef7bac62617fa373b4758b934b33e0869d0c0
                                              • Instruction Fuzzy Hash: 16218AB4D002189FCB14CFA9D484ADEFBF4BB49324F14905AE814B7310D775A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F03560, Relevance: 1.6, Strings: 1, Instructions: 309COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: <*l
                                              • API String ID: 0-3406226607
                                              • Opcode ID: d78a7430a8a221fe1bec4713efe426f9f667eb5f226f0a9f2cd2d18923be44ad
                                              • Instruction ID: d4744f9965af859407e46de10717525d1d146710d76464d60d77120116ef131e
                                              • Opcode Fuzzy Hash: d78a7430a8a221fe1bec4713efe426f9f667eb5f226f0a9f2cd2d18923be44ad
                                              • Instruction Fuzzy Hash: 99C16971B041189FCB14DFB8D859AAEBBF6AF88315F158069E906DB3A0DB30DC41DB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F056C0, Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: `)l
                                              • API String ID: 0-2607251424
                                              • Opcode ID: 985aed8761f97b45c05e42f243ec1576a4281c144b0cc3afb4fab2986de6e7d0
                                              • Instruction ID: c17a0e6090b6b5e6160cfa9f0785c09f1cc6c3c32323f3553174ba5b8ad114ba
                                              • Opcode Fuzzy Hash: 985aed8761f97b45c05e42f243ec1576a4281c144b0cc3afb4fab2986de6e7d0
                                              • Instruction Fuzzy Hash: 87910171D01229CFDB14DFA9C844BDDBBB2BF89304F1480A9D508BB291DB70AA85DF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F09854, Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: 5j,
                                              • API String ID: 0-2820710924
                                              • Opcode ID: 712b62bf941c4e4c5f39e6b1c2a75691b638363af3f6c4c7e4a7f926f8b36a3c
                                              • Instruction ID: 3c4bb4346bf4aceedecc1b56b5099c55a8260744cd5b07f6e34d7827debfc306
                                              • Opcode Fuzzy Hash: 712b62bf941c4e4c5f39e6b1c2a75691b638363af3f6c4c7e4a7f926f8b36a3c
                                              • Instruction Fuzzy Hash: 39514874E0020ADFCB04CFAAC4818AEFBB2FF89301F649155D515AB255E374EA82DF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F056B0, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: `)l
                                              • API String ID: 0-2607251424
                                              • Opcode ID: de6c33ff1da52fc14249e0af4dad047225500422f0149092397d8e9ab86307d4
                                              • Instruction ID: c871ba7eb18a6512df54a8b65651b5945f81a88c4052ab9b71806501b30f5692
                                              • Opcode Fuzzy Hash: de6c33ff1da52fc14249e0af4dad047225500422f0149092397d8e9ab86307d4
                                              • Instruction Fuzzy Hash: FD313971E01258CFDB18CFAAD8507EEBBB2AF89301F10C0AAD548B7250DB745A85CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0F928, Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: D0*l
                                              • API String ID: 0-976622781
                                              • Opcode ID: 040ec670da4167e0dc96d298d1e4ceadd77c093ecef794ad7a1662e4a3624aad
                                              • Instruction ID: 7eb087e6b740e0ad13357b4cf088561b774f03cb8dbc6e71afed6c36746d40c6
                                              • Opcode Fuzzy Hash: 040ec670da4167e0dc96d298d1e4ceadd77c093ecef794ad7a1662e4a3624aad
                                              • Instruction Fuzzy Hash: 26216B31A142089FDB14EBF8D855AEEBBB6EF88315F008129E506AB6D4DF345D019B61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0CA79, Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: 8&
                                              • API String ID: 0-2777766955
                                              • Opcode ID: 39e8ab1f024b5cf32d1c038f4715c743cefdfd2085a5be11d6154e9838b583aa
                                              • Instruction ID: 582271ddfec86d2a0dcc92fe2214409131f8addbc86d8d84daa46ce568f87db4
                                              • Opcode Fuzzy Hash: 39e8ab1f024b5cf32d1c038f4715c743cefdfd2085a5be11d6154e9838b583aa
                                              • Instruction Fuzzy Hash: 22F03775A0520ADFCB84EFA4D45599EBBB2FB88315F108A269415EF3A8D7309D46CF00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0C9AE, Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: }4
                                              • API String ID: 0-2117615419
                                              • Opcode ID: e9896732ad9258e61605152afe3fa10c9b0efbc73a390219387005e8b47816de
                                              • Instruction ID: bd9eac3c19fc84daa9093293d40a20c52e9f4b7de57d47ee360e0c55e11a95a7
                                              • Opcode Fuzzy Hash: e9896732ad9258e61605152afe3fa10c9b0efbc73a390219387005e8b47816de
                                              • Instruction Fuzzy Hash: A9E01774D04109DFEB44DFA6D1854AEFBF0EB85751700A05AC415E7264D3388906EF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F04900, Relevance: .2, Instructions: 167COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8abeaf3fdf326e212da2f7496d6b01523ed16de99970b50b9f15a7e1d1c360e1
                                              • Instruction ID: f53dac566b26f97ad656db9ee601eb2e6d39c55b8bc6da9bee0e6db57de12ccc
                                              • Opcode Fuzzy Hash: 8abeaf3fdf326e212da2f7496d6b01523ed16de99970b50b9f15a7e1d1c360e1
                                              • Instruction Fuzzy Hash: 1C616A71A00609DFCB04DFA8C844A9DBBF1FF88315F108169E909AB3A0DB31AD45CF84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F048F1, Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 741bc38a45383871a00721e34f9c826550eef8afa0b601da5bbb7ba2b8daf764
                                              • Instruction ID: f167e03cef46a447d92e320d2cbeaac18e238425fb8cd168eec5982a593cfc44
                                              • Opcode Fuzzy Hash: 741bc38a45383871a00721e34f9c826550eef8afa0b601da5bbb7ba2b8daf764
                                              • Instruction Fuzzy Hash: 90616975A00609DFCB14DFA9C858A9DBBF1FF88315F108169E509AB3A0DB70AD85CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F03FE8, Relevance: .2, Instructions: 156COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 435380804d50ab71bba329b2d4c42b23cc411e5e24842ce1a5e207b43580bacf
                                              • Instruction ID: 335fc690db408d8cd52faf8d51f6e716d4eaa182a36419240c427d74d174d1d0
                                              • Opcode Fuzzy Hash: 435380804d50ab71bba329b2d4c42b23cc411e5e24842ce1a5e207b43580bacf
                                              • Instruction Fuzzy Hash: B251E471B002158FCB14DB79D8488BFBBBAEFC4325B158569E519DB391EF309C068B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0351F, Relevance: .2, Instructions: 155COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 374c6d79ec08a9092d55aa29fb1fb7d38fa562ab413a3848c9a561b1c9215cff
                                              • Instruction ID: da348f58b81d484e54e0a66b936307b1d4d315c0624950874f3ad19720be2492
                                              • Opcode Fuzzy Hash: 374c6d79ec08a9092d55aa29fb1fb7d38fa562ab413a3848c9a561b1c9215cff
                                              • Instruction Fuzzy Hash: 25516675E04209DFCB25CF68D848AADBBB1FF48316F10846AE846AB3A1D731D841DF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0FA40, Relevance: .1, Instructions: 148COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 12c6ee43fb8dacda4971e49c3f6b2cef65c0abd4f2405a9db38d6a8b041bf267
                                              • Instruction ID: c0f0990979f773c0ea7c5392b56d9a5da5d7ea10121b966dbbfdee42bb22b5c2
                                              • Opcode Fuzzy Hash: 12c6ee43fb8dacda4971e49c3f6b2cef65c0abd4f2405a9db38d6a8b041bf267
                                              • Instruction Fuzzy Hash: 084190B1E041168FCB689BBCC8946AEB7E2EFC9205B54847AD409DB3D0DF3588429F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F04F58, Relevance: .1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 19d508d6849b33d7e2286c20f45ea62443863f32200408e4c5bee4005a8b556c
                                              • Instruction ID: 6878c1e5e94db6ade8f1282dc0853e55f107e896065512d647bb6b652b5b595a
                                              • Opcode Fuzzy Hash: 19d508d6849b33d7e2286c20f45ea62443863f32200408e4c5bee4005a8b556c
                                              • Instruction Fuzzy Hash: CC51C0B5D102599FCB10DFA9D844AEEFBB4BF89310F14851AE918B7200E770A985CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0C720, Relevance: .1, Instructions: 120COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fc38c5cf80d06c83f2f8599ff08e8784e19eb7cb8212b997424d61de20466c85
                                              • Instruction ID: 509eabb6fd1c5e8ec4d057aece520fe2cce9792afde3f93994af797003ad6beb
                                              • Opcode Fuzzy Hash: fc38c5cf80d06c83f2f8599ff08e8784e19eb7cb8212b997424d61de20466c85
                                              • Instruction Fuzzy Hash: 1A518770E04208DFDB48DFA9D48499DBBF2FB89312F05D569E409DB26ADB349941EF80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F06030, Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5778b6a6d72a5a8c729a006561163d2a53545e4f195e17ea1a76747ea8bec9dd
                                              • Instruction ID: 8343daec6bfdc97f0336b137d0bc22dcd388d204aeba5920e6df37a2cc7b3814
                                              • Opcode Fuzzy Hash: 5778b6a6d72a5a8c729a006561163d2a53545e4f195e17ea1a76747ea8bec9dd
                                              • Instruction Fuzzy Hash: 6441F5B5E052189FDB04DFAAC940AEEBBF2AF88301F14C06AD514EB354DB749946CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0C6D9, Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a5a8073861d3502c461c53074cdfe4bd8fa824c1509ac8ea9d9cac6d4536860b
                                              • Instruction ID: dbefb9ab727cd2d0cb88cb9279d4ccfbea380303830c53ed2619e8151c24d1ff
                                              • Opcode Fuzzy Hash: a5a8073861d3502c461c53074cdfe4bd8fa824c1509ac8ea9d9cac6d4536860b
                                              • Instruction Fuzzy Hash: AC41CB70909249DFDB49DB69D44088DBBF2FB86211F05C9AAC404DF2A6DB349905DF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F06209, Relevance: .1, Instructions: 104COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: faaf5fef9b2faa0dc1e734d4c55d89aae0631fbb2c61a9cfff8304214dd703f6
                                              • Instruction ID: ef4a3983522a41242ceb09ba15a6d1acfa3796c1ebc5cb7eed95c94cc2a22e3a
                                              • Opcode Fuzzy Hash: faaf5fef9b2faa0dc1e734d4c55d89aae0631fbb2c61a9cfff8304214dd703f6
                                              • Instruction Fuzzy Hash: 2841F674E01218DFDB08CFA9D994ADEBBB2BF89304F14802AE505BB394DB745846CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F06218, Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: da7f5b8d3cb3f8ef3294cd90aeba5c60d58d09bfecb677995c1aa72837ba06fb
                                              • Instruction ID: a1be710940126bb1f70024bb48ac66c876a6e7fcb4fb4a431a8a5cc1128d6e53
                                              • Opcode Fuzzy Hash: da7f5b8d3cb3f8ef3294cd90aeba5c60d58d09bfecb677995c1aa72837ba06fb
                                              • Instruction Fuzzy Hash: 8E41E574E00218DFDB08CFA9D994A9EBBF2BF88304F148029E905BB394DB745846CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F07E89, Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0a839554bc62c13df23d9289c7bc5792ef13fa794541dc74a02941ae5c77c1e
                                              • Instruction ID: 5e25eba2a6318f0620c4e50aacde9adc767c2833e8927b07b14d13ab26ef6c7e
                                              • Opcode Fuzzy Hash: a0a839554bc62c13df23d9289c7bc5792ef13fa794541dc74a02941ae5c77c1e
                                              • Instruction Fuzzy Hash: C231D5B4E05209DFCB44DFA9C4809AEBBB2EB88201F1095AAD415E7354D774AA41CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F07E98, Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a6a3868bbdd12a295b840ab86d599d7b3d5da52c6e95a46257c68550b0c00d53
                                              • Instruction ID: 139369b441aa7d41054749353f881861ed88b0654521390b6515888b3e390f3d
                                              • Opcode Fuzzy Hash: a6a3868bbdd12a295b840ab86d599d7b3d5da52c6e95a46257c68550b0c00d53
                                              • Instruction Fuzzy Hash: EA31C4B4E05209DFCB44DFAAC5809AEFBF2BB88301F1095AAD415A7354D375AA41CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0D8E2, Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a195da9b085c91fa75326ac71cbf2fa236bfbc9b4c8fa0c1126fb52477fb88e0
                                              • Instruction ID: 8045c8ec183db3cad587542c9e6a4719f6889f30e7ae369e1c1e12d1d83e97de
                                              • Opcode Fuzzy Hash: a195da9b085c91fa75326ac71cbf2fa236bfbc9b4c8fa0c1126fb52477fb88e0
                                              • Instruction Fuzzy Hash: 11313675E042099FCB04DFAAD9415EEBBB2FB89311F14C12AC915B7344EB349A46CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F063E0, Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 32085eca135c663c1236524d53d02781fe3daacb006c7c964d7d1d1c5b087c60
                                              • Instruction ID: efd6726feed7323592a4ee54674f979887882ccb1d8aa8f351d64cd5f1a84ac4
                                              • Opcode Fuzzy Hash: 32085eca135c663c1236524d53d02781fe3daacb006c7c964d7d1d1c5b087c60
                                              • Instruction Fuzzy Hash: 3A31AE74A05208DFC744DFB8E54969DBBB2EF85205F1484AAD408DB261E7349A29DB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C9D210, Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732305384.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1854051c32de2c8672042839400bc03ca6401538856470a489208edc13a92b0
                                              • Instruction ID: f76d4c3d160570fe2f84b04f8e71c642a0f5ebe4828504c2dfefc6f40a031385
                                              • Opcode Fuzzy Hash: c1854051c32de2c8672042839400bc03ca6401538856470a489208edc13a92b0
                                              • Instruction Fuzzy Hash: 892137B1504740EFDF05CF50D9C8B26BB65FB88324F24C5A9E9066B24AC336DC16CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C9D4D8, Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732305384.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: de2ecb9eb9bbce41129eee7e1fc6f04d4f0832b223931ee670663fe3e3631ba4
                                              • Instruction ID: 4cdb26e4f652689660ec6731272f394977ee4715f1a4bb7b14eb56e356db7cc3
                                              • Opcode Fuzzy Hash: de2ecb9eb9bbce41129eee7e1fc6f04d4f0832b223931ee670663fe3e3631ba4
                                              • Instruction Fuzzy Hash: C22167F1504204DFDF04CF10C9C8B26BBA5FB88328F21C5A8E9066B206C336DD46CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00CBD01C, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732348297.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5a846eb9f2fb59f86d5e3237ab41a7d08900288ec8b96fefac6b0974bf297f8f
                                              • Instruction ID: 7957c67150287d297608552a91c82819f90226a5508885cf6a0fe0f427613cec
                                              • Opcode Fuzzy Hash: 5a846eb9f2fb59f86d5e3237ab41a7d08900288ec8b96fefac6b0974bf297f8f
                                              • Instruction Fuzzy Hash: B22137B1504204DFDB14EF10E5C0B56BBA1FB88314F24C5ADD80A4B246D33AD807CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00CBD1D4, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732348297.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 943282902a40932e84608836be6aa4947ab00e9383f7807b8658aaef7a6aab16
                                              • Instruction ID: 8a29191b4d7ad57f1f0c8eebd1f924dafad056e5bb3aa04729a33b737ba0b206
                                              • Opcode Fuzzy Hash: 943282902a40932e84608836be6aa4947ab00e9383f7807b8658aaef7a6aab16
                                              • Instruction Fuzzy Hash: 1D2129B1504284EFDB05CF10D5C0B66BBA5FB84318F24C5BDE90A4B246D336DC46CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0D8F0, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e0b8b83db901a87a11bc941a8d70b0a0cf486b5d33d90e4a3fd27e0fc2fc9569
                                              • Instruction ID: ef66494aeada29c24888c53ed32fdac045b70a5e02fac0ede59fa2f346361e39
                                              • Opcode Fuzzy Hash: e0b8b83db901a87a11bc941a8d70b0a0cf486b5d33d90e4a3fd27e0fc2fc9569
                                              • Instruction Fuzzy Hash: 3621F774E042199FCB44DFEAC5455EEBBB2FB88201F10D52AC915B7344EB349A468FA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F09B88, Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5db2f0de75e62b599e1ec87aa3a0efc4f7757c45a6d6f3f896bccc77b28ddccc
                                              • Instruction ID: e9a4c956e67bb5788b51a7aa689a54556940145519228f54e03758a2221e953d
                                              • Opcode Fuzzy Hash: 5db2f0de75e62b599e1ec87aa3a0efc4f7757c45a6d6f3f896bccc77b28ddccc
                                              • Instruction Fuzzy Hash: 7A2136B0E05249DFCB48CFA9D9415AEFBF1AF89201F14D4AAC414E7291E7748A01DF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F09B98, Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dde53f246e7ced4f9d070ea888700892297d0bce4535d12c4f536afc3afb473c
                                              • Instruction ID: eb2dd046720940d3925f2eb607d43d61ad811c0f816b67c1a65e5f1a8d1c6ca6
                                              • Opcode Fuzzy Hash: dde53f246e7ced4f9d070ea888700892297d0bce4535d12c4f536afc3afb473c
                                              • Instruction Fuzzy Hash: D72127B0E0520ADFCB48CFAAC9415AEFBF1AF88201F20D4AAC414E7291E7749A01DF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F03EF8, Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81e79e37f02d80404f23fb8e802b15bccb17674ef0c264bfaa2cff2dc00d0155
                                              • Instruction ID: 02f6396adc790fbc49753a163e1d0518daabb2ea11e551f293f39c8d08039bf1
                                              • Opcode Fuzzy Hash: 81e79e37f02d80404f23fb8e802b15bccb17674ef0c264bfaa2cff2dc00d0155
                                              • Instruction Fuzzy Hash: 0F118675F00215CF8B19EBB858116EEB7B5AFC5256B14047ED504E7340EB32C95A8BA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F03FD9, Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c6c57e3c8f4d37567af11ab5b93b0baab08903c4b5785c347d1c94c50105b3fc
                                              • Instruction ID: b4180bf35fa94683e2dbf735dcb364e904072bc2ce30d200edc9b86b6f6f37aa
                                              • Opcode Fuzzy Hash: c6c57e3c8f4d37567af11ab5b93b0baab08903c4b5785c347d1c94c50105b3fc
                                              • Instruction Fuzzy Hash: 3E1106B5B002094F8B11DBBC88044BF77FBEBC4221715852EE465E3380EF308D068B64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00CBD005, Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732348297.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8dedd58b15323ebb296306e7b4dba3b127896199fd1e277662ac5bd1fc840522
                                              • Instruction ID: ca7fe8bafd10271c30b5a47ceaa891a37176b0f1b4ea1f450bee8eb9eb5a86ee
                                              • Opcode Fuzzy Hash: 8dedd58b15323ebb296306e7b4dba3b127896199fd1e277662ac5bd1fc840522
                                              • Instruction Fuzzy Hash: E0219D755093C08FCB12CF20D994B55BF71EB46314F28C5EAD8498B6A7C33AD80ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0F2E8, Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0c1494eb89d28451c7445343cf01b74c2a70e03f946c0e64aca9925490c1bb3e
                                              • Instruction ID: 2d0c231e1537d1ff25111c6b600a69d63a8bddb9dec9ecfd0b2007abaf16e84b
                                              • Opcode Fuzzy Hash: 0c1494eb89d28451c7445343cf01b74c2a70e03f946c0e64aca9925490c1bb3e
                                              • Instruction Fuzzy Hash: 9F114C71B142188FDB389B79881567E76A6EB84772F04813DE90ACB3C4EF3599029BD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F03F08, Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8ba636346eb59413843e2d00c7d441ffecb9f61ad5d37396db4601d360afa6a1
                                              • Instruction ID: 3ab48a3ad87d4bbc654981ae1e6461ccf6b72182909a277f5d87721e787d31e7
                                              • Opcode Fuzzy Hash: 8ba636346eb59413843e2d00c7d441ffecb9f61ad5d37396db4601d360afa6a1
                                              • Instruction Fuzzy Hash: CF111F71F00219CF8B58EBB994106EFB7F6AF84256B10407DD505EB380EB32DD5A8BA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C9D20B, Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732305384.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5bcdf25f8c0d83409c88d5fcb563ae0df5d76bc3b1193e8b7528079880efd3ea
                                              • Instruction ID: 9f811daefcfba7ee0e14376e14ed4af160a38a50e691f8e7cdc60261c863a781
                                              • Opcode Fuzzy Hash: 5bcdf25f8c0d83409c88d5fcb563ae0df5d76bc3b1193e8b7528079880efd3ea
                                              • Instruction Fuzzy Hash: 6521AF76404680DFCF16CF54D9C8B16BF71FB88320F24C6A9D8055B656C33AD966CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C9D4D3, Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732305384.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
                                              • Instruction ID: 7e9446e876331457a14afbff71a7631cff2caa21371fdf8ccbaf0a546f461ce1
                                              • Opcode Fuzzy Hash: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
                                              • Instruction Fuzzy Hash: 6711E6B6404280CFCF11CF10D5C4B16BF71FB98324F24C6A9D8061B656C33AD956CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00CBD1CF, Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732348297.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bbf2c8cf6e9aa963d3f8e87034f12a02946631990a170d17c82b680eb3c0f293
                                              • Instruction ID: 3f275dea9bd2b90524cc3563cbadc4d094fb9b6cd41a4b228f029b8e9b9abfdf
                                              • Opcode Fuzzy Hash: bbf2c8cf6e9aa963d3f8e87034f12a02946631990a170d17c82b680eb3c0f293
                                              • Instruction Fuzzy Hash: 16118B75904280DFCB11CF10D5C4B55BBB1FB84324F28C6A9D84A4B656D33AD94ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0F2DA, Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a49bed24810c14427f3dc14382f8d8420b5b729c74cac8a0e5d05f864e25dace
                                              • Instruction ID: 6a33d04bab7b0ab5ee0e4d87714dd1cdbee0d7b3adc73e8649440282fec43a1b
                                              • Opcode Fuzzy Hash: a49bed24810c14427f3dc14382f8d8420b5b729c74cac8a0e5d05f864e25dace
                                              • Instruction Fuzzy Hash: 3D018479E0021C9FCB20DBA998117EEB7B1FB88722F40416ED945D7244DB3049168BD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C9D745, Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732305384.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f2c8d2b4374cfcc05ca1ecd19b3ba439324c5ec38e93e429c3c4148bfe781724
                                              • Instruction ID: 176fbca442cd98406457ebe5e0266a0f32930756568c4a356ae3d4c89cae6e2c
                                              • Opcode Fuzzy Hash: f2c8d2b4374cfcc05ca1ecd19b3ba439324c5ec38e93e429c3c4148bfe781724
                                              • Instruction Fuzzy Hash: 96012B710083449AEF108F66CCC8B67FB98DF41334F18C55AED166B24AD3789C40CAB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0F254, Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 746245a4781009ac584e5a393110acd62f8d466c797b551c170c767e6c3ee1c6
                                              • Instruction ID: 76e3f2b04053ad2ef640da118613ff3dededa79873b341168a03eac580d50796
                                              • Opcode Fuzzy Hash: 746245a4781009ac584e5a393110acd62f8d466c797b551c170c767e6c3ee1c6
                                              • Instruction Fuzzy Hash: CD11E13480B3899FC702EBB8D8407DDBFB4AB46315F0486DED4988B552CB704119EBC2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0F8D0, Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3450613b2bf5b931d9b33ae91c402b16a1dad54c41148440cd95ba3ce275d2dc
                                              • Instruction ID: 7b3408848d43880e6900b65fc4321d85c18fa6e2038b70ccc1b6d16b9dd9b7eb
                                              • Opcode Fuzzy Hash: 3450613b2bf5b931d9b33ae91c402b16a1dad54c41148440cd95ba3ce275d2dc
                                              • Instruction Fuzzy Hash: 12016D76E14248AFCF50CBB8E4442DDBFF4DB89222F1040AAD504E22C0DA351A95DF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F046F1, Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1902e16d87f3acb5721313636b9a751e5bb3f748569dfff51f9282459dc7a35
                                              • Instruction ID: 68e3b0691ea7394377bd4cf2c1b16a1cb33dbd0597119d61b2e662ceace89f9c
                                              • Opcode Fuzzy Hash: c1902e16d87f3acb5721313636b9a751e5bb3f748569dfff51f9282459dc7a35
                                              • Instruction Fuzzy Hash: 99F090727082A45F9304C76AA884CA7BBEEEBCA670315807AF548CB312C9209C4587B1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F09CA2, Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81171da67ce40b673ec831d8962406845f9712493f236d464b5653e5646abaf7
                                              • Instruction ID: b905a313fed84e73069a6ed1814ae348d0d6fc3688d077ce5e557b702b34e77e
                                              • Opcode Fuzzy Hash: 81171da67ce40b673ec831d8962406845f9712493f236d464b5653e5646abaf7
                                              • Instruction Fuzzy Hash: 3F011A78A04248AFC705DBA9D444A9DBFF1AF49210F05C0EAE4089B362D734A995DF41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0F918, Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c92722cb6d19fc4427422dc2d5d7f35cd2990e32d7751af32473c9ec6e21b2d
                                              • Instruction ID: c626302974830a16210ffe25ab06bdc245931576229cfac4096e67dfb391ad51
                                              • Opcode Fuzzy Hash: 6c92722cb6d19fc4427422dc2d5d7f35cd2990e32d7751af32473c9ec6e21b2d
                                              • Instruction Fuzzy Hash: 29F09732A14208DEEF2427BDED823EA7BB0DF88332F200676C415911C0DE310498DB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C9D744, Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732305384.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eaf7cf1ca9f872f5d768befa7393c2ccf25075a380409709e570c0d1760de25b
                                              • Instruction ID: 6a86ec3e82c4036332ed37361a38a1d954244d8517e36e7f191f1993f6263034
                                              • Opcode Fuzzy Hash: eaf7cf1ca9f872f5d768befa7393c2ccf25075a380409709e570c0d1760de25b
                                              • Instruction Fuzzy Hash: EAF096714043449EEB108F55DCC8B63FFA8EB95734F18C45AED196B28AD3799C44CAB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F09CB0, Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: abac53c45ec916d18fa72294de22b5ec167f66e29f98af3aa80afd2745b18afa
                                              • Instruction ID: c6977d983960e450ac349bb509536ad405ac4d7b5454edb164231c832a0fd7b5
                                              • Opcode Fuzzy Hash: abac53c45ec916d18fa72294de22b5ec167f66e29f98af3aa80afd2745b18afa
                                              • Instruction Fuzzy Hash: 4201A478E00208AFCB44DFA9C589A9DBFF1AF48210F05C0A9E518AB361D7359955DF41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F04700, Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a5566dff9af1f48068bc742a6a22b60fb1f0a74ce2386663b7ae8c6b5dc2c909
                                              • Instruction ID: 75495a1ee2d5b72d9d88b854c2c38fc961856d3c609f147a75e02f21a6631c71
                                              • Opcode Fuzzy Hash: a5566dff9af1f48068bc742a6a22b60fb1f0a74ce2386663b7ae8c6b5dc2c909
                                              • Instruction Fuzzy Hash: 8EE06D727041246F5304DB6EEC84C6BBBEEEBCD674351813AF50CCB311DA309C0186A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0E028, Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 769094fa075142a27a86f3743f0f7f7df736e675252b388b2bd49761d7c31f5d
                                              • Instruction ID: 226da0deec20a138bf3ead4935bfc67667c59559814ce4993754262dd176139a
                                              • Opcode Fuzzy Hash: 769094fa075142a27a86f3743f0f7f7df736e675252b388b2bd49761d7c31f5d
                                              • Instruction Fuzzy Hash: 5FF058B0C042589FCB01DFB8E8056EEBFB4AB08211F008AAAD828D7641D7740A81CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F03ED1, Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8ae0868a4df4dd38f404dc4c22acdeda1fca05500b2ff24916de4fd3f8775d43
                                              • Instruction ID: 7641d56a8e05dc6e75993339470f879d439964d21ba4607413dffebebcebdfd2
                                              • Opcode Fuzzy Hash: 8ae0868a4df4dd38f404dc4c22acdeda1fca05500b2ff24916de4fd3f8775d43
                                              • Instruction Fuzzy Hash: 6EE0E579A052548ECB02AB78A8105DABFB5FB8631670040BBD140D6221D332C51DDBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F034D1, Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 609d5ff49c8ea5b124c8d6f8e0f765930288396bdf7d84ef9d040c90d8c63c63
                                              • Instruction ID: 9f25f088b125fa25944d576a2512427841781e9a877d7503400bbf274dc7b684
                                              • Opcode Fuzzy Hash: 609d5ff49c8ea5b124c8d6f8e0f765930288396bdf7d84ef9d040c90d8c63c63
                                              • Instruction Fuzzy Hash: 3AF0A731905348AFCF06CFA4E8006DD7FB1FB4A311F14819AF914D6261C3314A64EB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F06663, Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 746cb61540b147a265806ccbbd1b3455777d78d0177feaca945c0e2d20308f49
                                              • Instruction ID: 432998e8704cd2e1bfffa3b101a10c7359bfa9dea7db58fddf8be71096d9fdd2
                                              • Opcode Fuzzy Hash: 746cb61540b147a265806ccbbd1b3455777d78d0177feaca945c0e2d20308f49
                                              • Instruction Fuzzy Hash: 1EF0F430E12219CFDB58CF68DA40A9CB3B2BB88200F1485AAD009E3398DB34AA518F14
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0C89A, Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4027ea8b0ac3d259531d82c46687a78f1387e3933f247beac5ff3591d020269a
                                              • Instruction ID: e738cc1ff83613f9dbb91a027ef0f1bd148fd936249d4d7f9e917849c564b669
                                              • Opcode Fuzzy Hash: 4027ea8b0ac3d259531d82c46687a78f1387e3933f247beac5ff3591d020269a
                                              • Instruction Fuzzy Hash: 55F0ED79A052098FCB84DFA4D49488CBFB2BB88302B10842AC416EA758D738584ADF00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F089CC, Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9d174e3bb04af20161064da85c7e437e9e0593c992b0584491416ee34265c25c
                                              • Instruction ID: 061f93f52d5c5216d569edefa3b4d5b8672b41754a31d92ee93b09cffe275776
                                              • Opcode Fuzzy Hash: 9d174e3bb04af20161064da85c7e437e9e0593c992b0584491416ee34265c25c
                                              • Instruction Fuzzy Hash: C9F07F75D01258CFCB90CFA8CA80ADDBBB1AB48310F204096E408B7314DA349E85DF21
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F034E0, Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c5fcd07fc9d6ecd07625e960077df5420bad5923b43033f64300e928f9a88a6d
                                              • Instruction ID: 21e4793745449f43208a9b589dfa61e22c3cc8e8284ec9213f04499d13e3e813
                                              • Opcode Fuzzy Hash: c5fcd07fc9d6ecd07625e960077df5420bad5923b43033f64300e928f9a88a6d
                                              • Instruction Fuzzy Hash: EDE0E57590420CAFCB09DFA4E805A9DBFB5FB48301F008669E914A6250D7315A60EF85
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0F298, Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b0ea98e7b3f1051350d4d24516aa260bb47b19703fd2faff5f96b2c0372f79f9
                                              • Instruction ID: 42c957edc0b2fcf658a88c7f44485bf6ce049534e0d60c4b801b6c7d8d917bf0
                                              • Opcode Fuzzy Hash: b0ea98e7b3f1051350d4d24516aa260bb47b19703fd2faff5f96b2c0372f79f9
                                              • Instruction Fuzzy Hash: FAE0C974D00218EFCB44EFA8D8456ADBBB5FB48301F108569E818A7340D7715A54DF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F09923, Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e7b843c4b18dcc386531f48fd1570534c859d95138c0f1c2f51632ec0f953818
                                              • Instruction ID: 90ddba2a398fb647d59816855b00447199b671850849951e522ef9d901a80cb6
                                              • Opcode Fuzzy Hash: e7b843c4b18dcc386531f48fd1570534c859d95138c0f1c2f51632ec0f953818
                                              • Instruction Fuzzy Hash: A6E092B5D0461DEE8B00CBA989414EEBFF4FF492A0B245A19C162BB395E37446028FE4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0E038, Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 414d326bd982ca7264cf16048bcf1c7d77ba2259ace4667ab202cb09cc5c175f
                                              • Instruction ID: 42a3d9a8743765d24dbce11a87db8a53b0dc0e727c125f178a3e99f61d19a2bd
                                              • Opcode Fuzzy Hash: 414d326bd982ca7264cf16048bcf1c7d77ba2259ace4667ab202cb09cc5c175f
                                              • Instruction Fuzzy Hash: 95E01AB0D0020C9FCB44EFA8D8452AEBBF4FB48301F1086AAD818A3340D7701A11DF80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0F8E0, Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df1627883ef26a3a605df1a796e380e5bf27373f742ca1ee512ece4bb53bf550
                                              • Instruction ID: d3874dba03f21ea968363bd0b41d484a7bb95a580957eaa4802732f1399fea4b
                                              • Opcode Fuzzy Hash: df1627883ef26a3a605df1a796e380e5bf27373f742ca1ee512ece4bb53bf550
                                              • Instruction Fuzzy Hash: 80E0B670D11208AFCB94DFB8E44969CBBF4EB48205F1081A9D818E6280EB355A54DF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F098C1, Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f59708365a43ae8ea96bed61e7195d2df417a67cb720bf2ded0b7c95b41f55e
                                              • Instruction ID: 671f19000b819db025dd9c77c0bda78d6a8e86b709f03262d80b713cc8452356
                                              • Opcode Fuzzy Hash: 0f59708365a43ae8ea96bed61e7195d2df417a67cb720bf2ded0b7c95b41f55e
                                              • Instruction Fuzzy Hash: B8D02371F49A16C78304C7758491C6E7EF19FC4300B115464C385DB155D3644103CFD8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F09908, Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54283d9bbda339eb4dace9773fd580994832178859b9fcebfd61a0f4f23cb21c
                                              • Instruction ID: f6b3160e5b3f89f28d5e745066ff668868f2deb3bbb99191b40db0aca4af6f7c
                                              • Opcode Fuzzy Hash: 54283d9bbda339eb4dace9773fd580994832178859b9fcebfd61a0f4f23cb21c
                                              • Instruction Fuzzy Hash: 89D0A772E0D506899704877988518AE7EE19FC1250B205559C6615A195E2B44103DF88
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F08E22, Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: db62aed2bcbe2a31f878870387a654598f473cfa4ddcd283b369133d2450fb3d
                                              • Instruction ID: dc3bd90c3c173579f7d625bb6273edf7b42f23df1fb4513f726e1b5ccc615223
                                              • Opcode Fuzzy Hash: db62aed2bcbe2a31f878870387a654598f473cfa4ddcd283b369133d2450fb3d
                                              • Instruction Fuzzy Hash: DAD06774901318CFCB14CF64CA409DDBBB1FF09302F204095D80567354C7329E81DE10
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F08A2F, Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fa24c716a9f2ff518980e024bb9ecb437eb349ed4ab71ccbfca25e04a0a85d85
                                              • Instruction ID: 0359bba0515e104c4b3a16d379c75f339a9f6e28ee29c95ecd280c0c413197fa
                                              • Opcode Fuzzy Hash: fa24c716a9f2ff518980e024bb9ecb437eb349ed4ab71ccbfca25e04a0a85d85
                                              • Instruction Fuzzy Hash: 63D06C75502314CFC7A4DF64C5849987BB2BB09312F5011A8E80A6B251CB36D985DF10
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F03530, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 176d9f04753774464ac70c7cf92667564a840cc6581058052b54b0c559a99b48
                                              • Instruction ID: f65521f2b6e60f1316affbf83b246f0ffc1ab815126a8145607c4c18afa0fa6e
                                              • Opcode Fuzzy Hash: 176d9f04753774464ac70c7cf92667564a840cc6581058052b54b0c559a99b48
                                              • Instruction Fuzzy Hash: 0FC0023604020DBBCF025EC1EC05EDA3F6AEB08761F008401FA194846187B395B0ABA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0C61E, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f25f0738a795bd737410892cb3c9489dec5ec800c2c7f512b54960b6f596deff
                                              • Instruction ID: 330313ef3c8e6aa8ac876334cb36739635191331671ee4f11e8c8ebcf6d171e9
                                              • Opcode Fuzzy Hash: f25f0738a795bd737410892cb3c9489dec5ec800c2c7f512b54960b6f596deff
                                              • Instruction Fuzzy Hash: 4BD0C93190620AEEEB44DF68D980B88B7B1FB84255F64DAA6D545E7128E7309A01DF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 08F0E080, Relevance: 1.6, Strings: 1, Instructions: 345COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: D0*l
                                              • API String ID: 0-976622781
                                              • Opcode ID: 2e0e06424ccbf3ed41eb46c2be38bf7035b9c9e3b3d6c3bcb1eb78f1474730cf
                                              • Instruction ID: 44f7b32df33a38f996c8d143c24bf60104eb91b310ab5baa5b2a36e087ef400b
                                              • Opcode Fuzzy Hash: 2e0e06424ccbf3ed41eb46c2be38bf7035b9c9e3b3d6c3bcb1eb78f1474730cf
                                              • Instruction Fuzzy Hash: ECC1CF75E04219CFCF08CFB8C9415AEBBB2AF88315F11892AD555EB391DB349D018FA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0A3E0, Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: P"a'
                                              • API String ID: 0-141340093
                                              • Opcode ID: 467acea8b17b7b7f5564751e891a03c0200244387b1f0b345c258f8af032cef7
                                              • Instruction ID: 02c5119aae1d43898db550d9f9be3a8ae806ffdd075988bf38019d794295bcd2
                                              • Opcode Fuzzy Hash: 467acea8b17b7b7f5564751e891a03c0200244387b1f0b345c258f8af032cef7
                                              • Instruction Fuzzy Hash: 6A710239E01219DFCB08CFA9D88499EFBF1FF89211F14856AE418AB364D734AA41CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0A3F0, Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: P"a'
                                              • API String ID: 0-141340093
                                              • Opcode ID: 5845d90e68d7ef708ab74b3f742297074573a970e843d1d88a84e6049649d5b2
                                              • Instruction ID: 909a2a0de2073505c66daa33b20163f9e35f167f65f40773fa7c2ed2a3c3ee57
                                              • Opcode Fuzzy Hash: 5845d90e68d7ef708ab74b3f742297074573a970e843d1d88a84e6049649d5b2
                                              • Instruction Fuzzy Hash: BB71FF78E11219DFCB08CFA9D48499EFBF2FF88311F14856AE418AB264D734AA51CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0B279, Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: "w?
                                              • API String ID: 0-1815034733
                                              • Opcode ID: 0c62d38b0659c0925821177d5248e882904f5fa62b69a8a7bc7d3d67bcada7bd
                                              • Instruction ID: ed31236936bea8f72342894bf95e55ecbefdc62cf7476ad89f929225f77e6a86
                                              • Opcode Fuzzy Hash: 0c62d38b0659c0925821177d5248e882904f5fa62b69a8a7bc7d3d67bcada7bd
                                              • Instruction Fuzzy Hash: 22514A75E1520ADFCB05CFAAC4805EEFBB1FF89311F24806AD415AB250D3349A42DFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0B288, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: "w?
                                              • API String ID: 0-1815034733
                                              • Opcode ID: eb69573f43cdac96d8241f2199aaad48ae6c3151983e1156e753792d3e0163a6
                                              • Instruction ID: d0d95a10e9bd02037cf6c57c29e9c7e77c22538408aac4231520bc35a7de9e13
                                              • Opcode Fuzzy Hash: eb69573f43cdac96d8241f2199aaad48ae6c3151983e1156e753792d3e0163a6
                                              • Instruction Fuzzy Hash: 806138B1E1520ADFCB05CFA9C4805EEFBB2FF89311F24902AD415BB250D3349A429FA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0BA18, Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: rXV|
                                              • API String ID: 0-932122566
                                              • Opcode ID: e960985bd0148583aea355065d630d8ee4e7c373244cdc3426ea95a3e90c4982
                                              • Instruction ID: a6e2869e3820afe561c19df118e79d373cf0846bff535b4acd4128c65e8280fa
                                              • Opcode Fuzzy Hash: e960985bd0148583aea355065d630d8ee4e7c373244cdc3426ea95a3e90c4982
                                              • Instruction Fuzzy Hash: 0E41C5B1E0920ADFDB48CFA9C5805EEFBF2EB89311F24C16AC815A7254D7349A41DF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F050FF, Relevance: .3, Instructions: 271COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 665c42ebb43ab90f55e7591e4ebd1eee1fb63a7f1852b70ff55015f632fb0ff4
                                              • Instruction ID: 3e7cf9deb30f91e39be64dbc8099d0c64c5bab29207508c2deb0763a71dfbedd
                                              • Opcode Fuzzy Hash: 665c42ebb43ab90f55e7591e4ebd1eee1fb63a7f1852b70ff55015f632fb0ff4
                                              • Instruction Fuzzy Hash: 22D1F630C1075A8ADB50EFA4C950ADDB3B1FFD5200F51DB9AD1097B264EB706AC8CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F05110, Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b20b616ea53ffa00f2bcf22344a99383b2879b9042aa099f2ed6567843599752
                                              • Instruction ID: d80b0ca93d331b4854cd1f28d80c389aa7722e7d4a56d31e7ef78dcf87e59743
                                              • Opcode Fuzzy Hash: b20b616ea53ffa00f2bcf22344a99383b2879b9042aa099f2ed6567843599752
                                              • Instruction Fuzzy Hash: F1D1E431C2075A8ADB50EFA4C950ADDB3B1FFD5200F51DB9AD5093B264EB706AC8CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0EBFA, Relevance: .2, Instructions: 187COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cb4c319b5535d3ed95f1311c15310a3ba698d7d2f24e3473618a1eea2f214553
                                              • Instruction ID: 81d647066a43506b0b722506fd1b48294e3714db32cdee6df5fc2436d7922aae
                                              • Opcode Fuzzy Hash: cb4c319b5535d3ed95f1311c15310a3ba698d7d2f24e3473618a1eea2f214553
                                              • Instruction Fuzzy Hash: 1F814B70E05219CFDB14CF69C980A9EFBB2BF89305F24C5AAD508AB365D7309941DF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0EC20, Relevance: .2, Instructions: 183COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1fc686fb3df9cea3102021a9cfec4e3697899bcb7ec6091b16c84700b9e65aef
                                              • Instruction ID: 14077cb879372b7978d206f61e0d7f59f25c2489b8c644a472adf9fdecdab3ed
                                              • Opcode Fuzzy Hash: 1fc686fb3df9cea3102021a9cfec4e3697899bcb7ec6091b16c84700b9e65aef
                                              • Instruction Fuzzy Hash: D7813975E04219CFDB14CF69C980A9EFBB2BF89305F10C5AAD508AB355DB309A41CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE15B0, Relevance: .2, Instructions: 182COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1042420111586c2540829359dce4e3fd90141b9097496c7151433f59da4453c7
                                              • Instruction ID: fe755a1ed3e2af078af69b9abe02cd3fd8f645263e66d1359e9b3c7c3a77cf88
                                              • Opcode Fuzzy Hash: 1042420111586c2540829359dce4e3fd90141b9097496c7151433f59da4453c7
                                              • Instruction Fuzzy Hash: 6E812B74E051198BDB14DF69C980AAEFBB2FB89305F24C16AD508AB715D7319D42CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0ECE15A0, Relevance: .2, Instructions: 180COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746666730.000000000ECE0000.00000040.00000001.sdmp, Offset: 0ECE0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 61d3e5a7105c62b27ed5a95daef5aecbae8934de1089a8e18868a447a4d13936
                                              • Instruction ID: 6314eb0952c956fc41d4ebfbb6df7f55702f4df893fc9c28d09897d91b5d1c24
                                              • Opcode Fuzzy Hash: 61d3e5a7105c62b27ed5a95daef5aecbae8934de1089a8e18868a447a4d13936
                                              • Instruction Fuzzy Hash: AD815C70E051598BDB14DF65C980AAEFBF2BF89304F28C16AD508AB716D7309D42CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F08130, Relevance: .2, Instructions: 171COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c56e06043b7ba149c5aa06272ed9cb64e4916d0d1c19dc895aaaf61293a17a99
                                              • Instruction ID: d06a4ae3f99383e2709a6814447e4066c4347f326f960e687b279a2c333996e9
                                              • Opcode Fuzzy Hash: c56e06043b7ba149c5aa06272ed9cb64e4916d0d1c19dc895aaaf61293a17a99
                                              • Instruction Fuzzy Hash: 3A712675E2520ADFCB44CFA9D8809EEFBB1FF88391F14942AD515AB250D7349A42CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F08120, Relevance: .2, Instructions: 171COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2d045f11da82cf7d6249b6d192737a7bbf85be0336d63bde17a2a07f41fc35f0
                                              • Instruction ID: daad0b5071decd1988a7e88e3f9a83ee210b4639858a4fbd1785e74da9807385
                                              • Opcode Fuzzy Hash: 2d045f11da82cf7d6249b6d192737a7bbf85be0336d63bde17a2a07f41fc35f0
                                              • Instruction Fuzzy Hash: 94614775E2520ADFCB04CFA9D8809EEFBB1FF89351F14842AD515A7261D3349A42CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0E558, Relevance: .2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d0751739347eef39595b582e4f95275005f16e9e596ed0b0565a93b359e63d00
                                              • Instruction ID: 44f815bdc7a9c6b7cef72a77cbfc0ece70fe4ba5a4667d29124198846df5a884
                                              • Opcode Fuzzy Hash: d0751739347eef39595b582e4f95275005f16e9e596ed0b0565a93b359e63d00
                                              • Instruction Fuzzy Hash: 5B613971E15219CFCB14CFA9D880B9EFBF2BF89204F5085AAE509A7394DB309A419F50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0B7D9, Relevance: .2, Instructions: 158COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2803d9b2531787969bf4acbc14bea2f7afa4f511869f9c663527a2366eadc4ef
                                              • Instruction ID: d8b3a9ba1f5375dc4ae5dee44d769314331f6b318bfe942c4fcf7400a6b94bbb
                                              • Opcode Fuzzy Hash: 2803d9b2531787969bf4acbc14bea2f7afa4f511869f9c663527a2366eadc4ef
                                              • Instruction Fuzzy Hash: 57611375E15209CFCB04CFAAC9808DEFBF2FF88211F24946AD415B7264D330AA429F65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0E548, Relevance: .2, Instructions: 155COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f6f429c27f67d8d054ca29a2c7e652c98ce3be275badda91052b53f54ef7e32c
                                              • Instruction ID: b17c02bc67dff0677bb734c9dc2355da8abebdf66a1c32dc81bf148c2c7db855
                                              • Opcode Fuzzy Hash: f6f429c27f67d8d054ca29a2c7e652c98ce3be275badda91052b53f54ef7e32c
                                              • Instruction Fuzzy Hash: F3611A75E15219DFDB14CFA9C880B9EFBF2BF89200F1485AAD509E73A4DB309A419F50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0B7E8, Relevance: .2, Instructions: 155COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0b93a42e9e4a99bd053009b8a68eb85cee51c89c438529606a5769a5aba3a25d
                                              • Instruction ID: 0f64822358608916753417d35d33b0fa9374aa964792d8dbb9b630cb9d343723
                                              • Opcode Fuzzy Hash: 0b93a42e9e4a99bd053009b8a68eb85cee51c89c438529606a5769a5aba3a25d
                                              • Instruction Fuzzy Hash: 9E61F275E15209CFCB04CFAAC5809DEFBF2FB88211F24946AD415B7264D334AA429F64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004D808D, Relevance: .1, Instructions: 114COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.731530864.00000000004D3000.00000002.00020000.sdmp, Offset: 004D0000, based on PE: true
                                              • Associated: 00000000.00000002.731518605.00000000004D0000.00000040.00020000.sdmp Download File
                                              • Associated: 00000000.00000002.731524780.00000000004D2000.00000040.00020000.sdmp Download File
                                              • Associated: 00000000.00000002.731641706.000000000056A000.00000040.00020000.sdmp Download File
                                              • Associated: 00000000.00000002.731650035.000000000056B000.00000002.00020000.sdmp Download File
                                              • Associated: 00000000.00000002.731692491.00000000005B3000.00000040.00020000.sdmp Download File
                                              • Associated: 00000000.00000002.731701349.00000000005B4000.00000002.00020000.sdmp Download File
                                              • Associated: 00000000.00000002.731720921.00000000005D1000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ec0e5c39d021df6202577054508046d94627bdd9cad67287f96a2b9c92a1e9f6
                                              • Instruction ID: a142aa9e49a4c48f503eca989e313822c2f93cb5d565f6ebba3bdd22c6ba5330
                                              • Opcode Fuzzy Hash: ec0e5c39d021df6202577054508046d94627bdd9cad67287f96a2b9c92a1e9f6
                                              • Instruction Fuzzy Hash: 2241AE6684E3C05FD3038B749C75A913FB1AE27214B0E4ADBC0C1CF1A3D619AA6DD362
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02740470, Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.732530955.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 97e5972a457a7c402c2c2550109904e09c8fde41dc0ab2f5765b48db2a931699
                                              • Instruction ID: 5fb6106b877d652927b1f03e07881ba0ab8dc7cdba05d63ad3f1efac3f1200af
                                              • Opcode Fuzzy Hash: 97e5972a457a7c402c2c2550109904e09c8fde41dc0ab2f5765b48db2a931699
                                              • Instruction Fuzzy Hash: 67417C71E056588BDB2CCF6B8D4439EFBF3AFC9300F14C1BA954CA6225DB300A868E11
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0D290, Relevance: .1, Instructions: 111COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7de6345e9ef485e6606195f163c773ee6dc94e5072de8986fa909672da5e366a
                                              • Instruction ID: c069fc93edd0ce2ad925fd39ed131debb3ae4872f01ca33366dc61bfe4ec5303
                                              • Opcode Fuzzy Hash: 7de6345e9ef485e6606195f163c773ee6dc94e5072de8986fa909672da5e366a
                                              • Instruction Fuzzy Hash: 8A418C70E152588FDB58CFB9D880B9EBBF2AF85210F14C0AAD508AB395D7305A45CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0B5E9, Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0314b3e1b1d676249069148a7a90b6f2f9ad5fc853f6451728939df445c640fa
                                              • Instruction ID: c0bdcb302f6c57f23103f7ec93e0dafbca0354b23457be7bccc2cde8333fd0b9
                                              • Opcode Fuzzy Hash: 0314b3e1b1d676249069148a7a90b6f2f9ad5fc853f6451728939df445c640fa
                                              • Instruction Fuzzy Hash: 0B41E2B1E056099FCB48CFAAC9805AEFBF2EF88310F14C06AD415A7254E7349A418FA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0D2A8, Relevance: .1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2510f47c3b86e4b8cc3d56673e40dcee1763cdf5f99b76ee2edaf0f59abe25fb
                                              • Instruction ID: ef6b8ad6ad3a91a97b8b5c4e1c3038209be6590ec3ebde5b78a801a7a96962f4
                                              • Opcode Fuzzy Hash: 2510f47c3b86e4b8cc3d56673e40dcee1763cdf5f99b76ee2edaf0f59abe25fb
                                              • Instruction Fuzzy Hash: 29414875E112188FDB58DFAAC884B9EFBF2FB88200F10C0AAD508AB354DB305A45DF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0B5F8, Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 669db9a836b222961aaa0c94ee2337c43708f4fff820e52263b10b60aacecad2
                                              • Instruction ID: a336b3d029337790bb804a02d8ad0b5d6dc9a26cbd1e51f7ffd068fe6a86e6ac
                                              • Opcode Fuzzy Hash: 669db9a836b222961aaa0c94ee2337c43708f4fff820e52263b10b60aacecad2
                                              • Instruction Fuzzy Hash: 0141C0B1E046099FCB48CFAAC5805AEFBF2EF88311F14C46AC415B7254E7349A418FA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F042FD, Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: af099a7427d079b9c479cc14db6bbdb304db2c81e58f97567da2088ce0fc260b
                                              • Instruction ID: d3dac2f8ad10a009e5f97221a295a7dfa5404b8695ec7a146136a470d141e693
                                              • Opcode Fuzzy Hash: af099a7427d079b9c479cc14db6bbdb304db2c81e58f97567da2088ce0fc260b
                                              • Instruction Fuzzy Hash: C03192B4D05208DFDB14CFA9D484AEDBBF1BB99315F24A129E814B7390D3349941DF98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0BBD0, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 857ba35602584dda7882cbd723abb19676e17d364bd817481466e762089ebd96
                                              • Instruction ID: 21880a66641099af44d17d968217831665e8d20a575dfdc81a40093f181b4922
                                              • Opcode Fuzzy Hash: 857ba35602584dda7882cbd723abb19676e17d364bd817481466e762089ebd96
                                              • Instruction Fuzzy Hash: F021DBB1E056189FEB18CFABD84469EFBF3EFC9201F04C17AC508A6254EB340A468F51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F04308, Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 023d5e70f18f17b4d44760305f6028f4191b71503f64581500325adbe600443a
                                              • Instruction ID: 2b0e5258604f28cf3a09346d0f014f1da3a80808a2bc67924a5438f7e111aad8
                                              • Opcode Fuzzy Hash: 023d5e70f18f17b4d44760305f6028f4191b71503f64581500325adbe600443a
                                              • Instruction Fuzzy Hash: CE318EB4D05208EFCB14CFA9D484AEDBBF1BB99310F24A129E814B7390D3349941DF98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0BBCA, Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f4ed036554087fc679d548bc35c515a96e07c85feab9714b3f65da23ee0dbc3
                                              • Instruction ID: a238a4fe8ad67c96e5feb98d741c28d880f2356a78a483738a120fc2904e1c16
                                              • Opcode Fuzzy Hash: 0f4ed036554087fc679d548bc35c515a96e07c85feab9714b3f65da23ee0dbc3
                                              • Instruction Fuzzy Hash: FD21CDB1E056189FEB18DFABD84469EFBF3AFC9300F04C17AD508AA254EB3459468F51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0CC70, Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e428fe124026661daed84066584b3613a01c391aeee00df03c79607e717cf0fe
                                              • Instruction ID: 633c2ffd0551d51541b5a8c9d968c947b0d84b690781f9eead89bb335e2a62ba
                                              • Opcode Fuzzy Hash: e428fe124026661daed84066584b3613a01c391aeee00df03c79607e717cf0fe
                                              • Instruction Fuzzy Hash: 59114471E016198BDB18CFAAD8406AEFBF7EFC8200F14C13AD518A7254DB305A068FA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F0CC6A, Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: efa09ce5b7e48ee28c25649e070e38e302aca6eeb336292265cd987e63393a99
                                              • Instruction ID: 528f343b4f361b376ec3fcb6c3e220e745feaf2964681bb822feecf4b9e901de
                                              • Opcode Fuzzy Hash: efa09ce5b7e48ee28c25649e070e38e302aca6eeb336292265cd987e63393a99
                                              • Instruction Fuzzy Hash: 77113770E116199BDB18CFABD94069EFAF7EFC8200F14C13AD408A7354DB305A458FA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F04554, Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1a8a6787baa9c3b24e67ba3ae624c3e1a9293d0d5e4507626bff23f929c91f9
                                              • Instruction ID: 1e8a2b90a560fefb80a5380905ee0acfa2b740a06d2b695dbc7731d00ce700a2
                                              • Opcode Fuzzy Hash: c1a8a6787baa9c3b24e67ba3ae624c3e1a9293d0d5e4507626bff23f929c91f9
                                              • Instruction Fuzzy Hash: DB01B6B9D0420D9F8F04DFA9D4414EEFBF2AB99311F10A12AE904B3310E73099518FA8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 08F04560, Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.746431498.0000000008F00000.00000040.00000001.sdmp, Offset: 08F00000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
                                              • Instruction ID: 84f9316df6d603f0299aaa5f190fef2363fa74b8e9e3331386b0276e1f819592
                                              • Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
                                              • Instruction Fuzzy Hash: 6AF042B5D0520C9F8F04DFA9D5418EEFBF6AB5A310F10A16AE914B3310E73599518FA8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Analysis Process: uwmDRDg.exe PID: 2740 Parent PID: 3424 uwmDRDg.exeCOMMON

                                              Executed Functions

                                              Function 00C701A4, Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00C7354D
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898214364.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                              Similarity
                                              • API ID: InformationProcessQuery
                                              • String ID:
                                              • API String ID: 1778838933-0
                                              • Opcode ID: 2320636d0fb95b099a9bdbf6506f45ca5f8ed4837d3afb096d28e4297d4b4f59
                                              • Instruction ID: e8d40001c5cb1dde01d334562654a11c748249c05020832fa2cf18ee2a0bf92d
                                              • Opcode Fuzzy Hash: 2320636d0fb95b099a9bdbf6506f45ca5f8ed4837d3afb096d28e4297d4b4f59
                                              • Instruction Fuzzy Hash: CC4165B8D042589FCF10CFAAD984ADEFBB5BB09310F10902AE818B7310D375AA45CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C73491, Relevance: 1.6, APIs: 1, Instructions: 102nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00C7354D
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898214364.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                              Similarity
                                              • API ID: InformationProcessQuery
                                              • String ID:
                                              • API String ID: 1778838933-0
                                              • Opcode ID: 1cc7909f667dc247dc5ae743705cb22319860ad66bba1228ccc173010e1a1f0a
                                              • Instruction ID: 840212aba5eb0b426d0d1aa3f97ab0e3dd699163bf5d5c9700a24c2aace20ac3
                                              • Opcode Fuzzy Hash: 1cc7909f667dc247dc5ae743705cb22319860ad66bba1228ccc173010e1a1f0a
                                              • Instruction Fuzzy Hash: 874165B8D042589FCF10CFAAD984A9EFBB1BB09310F10906AE818B7210D375A945CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C7FDE8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 00C7FE48
                                              • GetCurrentThread.KERNEL32 ref: 00C7FE85
                                              • GetCurrentProcess.KERNEL32 ref: 00C7FEC2
                                              • GetCurrentThreadId.KERNEL32 ref: 00C7FF1B
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898214364.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: bdfa69a36b4c24a1229167a616f38cd7014aa94f512294e9cb519be6e9e39318
                                              • Instruction ID: 19342262ce238dfebaaf87f06ba4c25707c0cfb0087de10d2cfeb521d340f596
                                              • Opcode Fuzzy Hash: bdfa69a36b4c24a1229167a616f38cd7014aa94f512294e9cb519be6e9e39318
                                              • Instruction Fuzzy Hash: AA5145B09006098FEB14CFAAD588B9EBBF0FB48314F24C46DE419A7260D774A945CB66
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C77B50, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 00C790C9
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898214364.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 46835843c73bd3c75063ee8de1b07baec9ca38c2c99dc3a80a2d92409e12e8ef
                                              • Instruction ID: d5200cdd5b38d4fb401a028fedeef224e618a1cee95a5cfe4f7a0a1acc4c6496
                                              • Opcode Fuzzy Hash: 46835843c73bd3c75063ee8de1b07baec9ca38c2c99dc3a80a2d92409e12e8ef
                                              • Instruction Fuzzy Hash: CC51E171D0422C9FDB20CFA4C884BCEBBB5AF49304F5180AAD559BB251DB716A89CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C7CD30, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(?,?,?), ref: 00C7DF42
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898214364.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 3d8acba8b333d31299aabb850a41338c16574c48749d328306c21362f9700641
                                              • Instruction ID: 5051b8b445cf3a48152625d72b2379674d4160b36bdaf3f0c37a352650419bc0
                                              • Opcode Fuzzy Hash: 3d8acba8b333d31299aabb850a41338c16574c48749d328306c21362f9700641
                                              • Instruction Fuzzy Hash: BE4197B4D052589FCB10CFAAD484A9EFBF1BB49314F14906AE819BB310D374A945CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C72C51, Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C72CFF
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898214364.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 1abc730c96bcd34b2c510c26d3d8dccc9e8bd68a68ebcb43b85f9cf5ff6bdb8b
                                              • Instruction ID: 8f1bb411846423af495d6870260025a1097b6fe49bfccee13117ae78bb7f1d9b
                                              • Opcode Fuzzy Hash: 1abc730c96bcd34b2c510c26d3d8dccc9e8bd68a68ebcb43b85f9cf5ff6bdb8b
                                              • Instruction Fuzzy Hash: F13198B5D042589FCB10CFA9E584ADEFBB0BB19310F14906AE814B7310D774A945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C72C58, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C72CFF
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898214364.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 5610ce00ab0505dd2fb85e2d243b19f646672ad5a0f3de873c897a3ade4c0b25
                                              • Instruction ID: c7b15be29905f7c3b05964aaf9d7341f629ea005d26e9d000c529a47fb780fb3
                                              • Opcode Fuzzy Hash: 5610ce00ab0505dd2fb85e2d243b19f646672ad5a0f3de873c897a3ade4c0b25
                                              • Instruction Fuzzy Hash: 8E3189B5D042589FCF10CFA9E484ADEFBB1BB59310F14902AE814B7310D775A945CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C701EC, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                              Download Yara Rule
                                              APIs
                                              • OutputDebugStringW.KERNELBASE(?), ref: 00C7BBB2
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898214364.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                              Similarity
                                              • API ID: DebugOutputString
                                              • String ID:
                                              • API String ID: 1166629820-0
                                              • Opcode ID: 0a5cc3bfe0f6facafcbcc4223a1667e4135cd0973ff3b9ef81c59272b4c8ff38
                                              • Instruction ID: 14ea2ee608a693ba5258af7efb1e6ad1337e92fd8a8854f943c3129d029bed4c
                                              • Opcode Fuzzy Hash: 0a5cc3bfe0f6facafcbcc4223a1667e4135cd0973ff3b9ef81c59272b4c8ff38
                                              • Instruction Fuzzy Hash: CB3196B4D042189FCB14CFAAD984ADEFBF5BB49314F14806AE818B7320D774A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C7DB88, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(?), ref: 00C7DC1A
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898214364.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: d2228fcb55fb164d245829c270a4760c3e63cc82b419e9b80e41a0b772c77da7
                                              • Instruction ID: 15694836316ad27f2ffdb24eef50d4d59943d7201f31ee103a8c384620438d33
                                              • Opcode Fuzzy Hash: d2228fcb55fb164d245829c270a4760c3e63cc82b419e9b80e41a0b772c77da7
                                              • Instruction Fuzzy Hash: B73197B4D002199FCB14CFAAD884ADEFBF5AF49314F18806AE818B7310D374A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C701F8, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 00C7BC8E
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898214364.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: 3690851cb62e4a9b6a41989d8db0d2e06bd3f371575a3e9807abd3a64581a9c9
                                              • Instruction ID: 5684fe9852d4be38dff3e837e263c1d251f3ca1bf4ea2b624b0072b0f2fc9ee4
                                              • Opcode Fuzzy Hash: 3690851cb62e4a9b6a41989d8db0d2e06bd3f371575a3e9807abd3a64581a9c9
                                              • Instruction Fuzzy Hash: E231DDB4D042189FCB10CFAAD484AEEFBF0BB09310F14806AE818B3300D774A941CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00BFD3EC, Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.897994968.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81d2f9535d311adf5546996b9c490c6c9aebc1f495a47fc05989b92f056e6707
                                              • Instruction ID: dbd4c9af4391100a3840a6a8337bf5066dd1711d88a3cb842b052b06578a169d
                                              • Opcode Fuzzy Hash: 81d2f9535d311adf5546996b9c490c6c9aebc1f495a47fc05989b92f056e6707
                                              • Instruction Fuzzy Hash: A5210DB1504248DFDB05DF14D5C0B36BBA6FB94324F24C5B9DA054B346C336E85AD7A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C0D1D4, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898049251.0000000000C0D000.00000040.00000001.sdmp, Offset: 00C0D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e81ee3a46067932d3900cec05816dc7cbf9210036a8149b0cba8a6df8a4e79fc
                                              • Instruction ID: 78c34ca68cadaad62b48973d89c1f1d0a36757b4a2249ee11c62b668170ff7b6
                                              • Opcode Fuzzy Hash: e81ee3a46067932d3900cec05816dc7cbf9210036a8149b0cba8a6df8a4e79fc
                                              • Instruction Fuzzy Hash: F72107B1504204EFDB05DF94D5C0B26BBA5FB84314F24C5ADE90A4B286C336DC46CA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C0D01C, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898049251.0000000000C0D000.00000040.00000001.sdmp, Offset: 00C0D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c4096ef8d076cddeec11641b2b9f504976b9e194bf75594092d2258e0501b9af
                                              • Instruction ID: d1a34a9d43ca54952fb9881a27af49cfc9ccb59d2b0ac25e31a7574b5ea3e606
                                              • Opcode Fuzzy Hash: c4096ef8d076cddeec11641b2b9f504976b9e194bf75594092d2258e0501b9af
                                              • Instruction Fuzzy Hash: BA2107B1504244EFDB14CF54D9C4B16BBA5FB84318F24C5ADD94E4B286C336D847CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C0D005, Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898049251.0000000000C0D000.00000040.00000001.sdmp, Offset: 00C0D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1a87c3dc38cf694f0af7527a3a47c7273f2a50b0b8d6077025de912ba99a1fdc
                                              • Instruction ID: 3eab47d40cacf7d3126dbacc46b65c29992ce98d9237e5bc2b9027220f5b64cf
                                              • Opcode Fuzzy Hash: 1a87c3dc38cf694f0af7527a3a47c7273f2a50b0b8d6077025de912ba99a1fdc
                                              • Instruction Fuzzy Hash: 0C216F755093C08FCB12CF24D994B15BF71EB46314F28C5EAD8498B6A7C33AD94ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00BFD3E7, Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.897994968.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
                                              • Instruction ID: 6ad22b0529e77e914cf9595df35a3e97b8ab4371295e194526ff28c52c9eeafd
                                              • Opcode Fuzzy Hash: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
                                              • Instruction Fuzzy Hash: AE11D376404284DFCB11CF10D5C4B26BFB2FB94320F24C6A9D9080B756C33AE85ACBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00C0D1CF, Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.898049251.0000000000C0D000.00000040.00000001.sdmp, Offset: 00C0D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bbf2c8cf6e9aa963d3f8e87034f12a02946631990a170d17c82b680eb3c0f293
                                              • Instruction ID: 944edf16ad8b82b11759ccc2e38211009a9400834e3475532dc37d24b2b1328e
                                              • Opcode Fuzzy Hash: bbf2c8cf6e9aa963d3f8e87034f12a02946631990a170d17c82b680eb3c0f293
                                              • Instruction Fuzzy Hash: 7D119D75904280DFCB11CF54D5C4B15FBB1FB84324F28C6ADD84A4B696C33AD95ACB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00BFD745, Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.897994968.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: de0824ba5e78a640da222d52efa872596813666fec28fd7f6428c267290a67a4
                                              • Instruction ID: 277d9dd305fcb937f4c220b8518acfe3a17b6a2031a54b669e15183de8cad1f8
                                              • Opcode Fuzzy Hash: de0824ba5e78a640da222d52efa872596813666fec28fd7f6428c267290a67a4
                                              • Instruction Fuzzy Hash: 5101D4610082889AE710AB26C8C4B76FBD8DB41364F18C59AEE054F246D3789C48CBB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00BFD744, Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.897994968.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0c1388c2f04e329f258d3f34578ba7a0115d533178d76fb26481db67199f49e6
                                              • Instruction ID: a510f7939bc4c1f113c97c4c6724a4bedda4f8359928789fa16ec4c46b997d9f
                                              • Opcode Fuzzy Hash: 0c1388c2f04e329f258d3f34578ba7a0115d533178d76fb26481db67199f49e6
                                              • Instruction Fuzzy Hash: 19F068714042449AE7109F15DCC4B72FBD8DB41774F18C55AED045F256D3759C44CBB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Analysis Process: uwmDRDg.exe PID: 4752 Parent PID: 3424 uwmDRDg.exeCOMMON

                                              Executed Functions

                                              Function 02BC01A4, Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 02BC354D
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908643181.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                              Similarity
                                              • API ID: InformationProcessQuery
                                              • String ID:
                                              • API String ID: 1778838933-0
                                              • Opcode ID: 4b4275b1ab9ce656cff477c0894199296b6f31d81c3b295e0571a1e9e897d60a
                                              • Instruction ID: 65cfe23fff4c5a6c06ee31a53495195491e096462f65e2b47885c61113e80490
                                              • Opcode Fuzzy Hash: 4b4275b1ab9ce656cff477c0894199296b6f31d81c3b295e0571a1e9e897d60a
                                              • Instruction Fuzzy Hash: F54165B9D042589FCF10CFAAD984ADEFBB5BB09310F10906AE818B7310D335A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02BC3491, Relevance: 1.6, APIs: 1, Instructions: 101nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 02BC354D
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908643181.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                              Similarity
                                              • API ID: InformationProcessQuery
                                              • String ID:
                                              • API String ID: 1778838933-0
                                              • Opcode ID: 857060e42d3a864542c210763f5f1e2ce44338ca0865dedeab3d1428de10ef9c
                                              • Instruction ID: 67b2dd3fe10ff79f554dada27e16918ce254602e343f2f06b081e72f863afa04
                                              • Opcode Fuzzy Hash: 857060e42d3a864542c210763f5f1e2ce44338ca0865dedeab3d1428de10ef9c
                                              • Instruction Fuzzy Hash: 0D4156B9D042589FCF14CFA9D984ADEFBB1BB59310F10906AE814B7310D335A946CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E721C64, Relevance: 1.7, APIs: 1, Instructions: 227processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0E721E4C
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 827a25111a2056ddb2d2612f23ff2c0bd31a640ef6514ebf13adc7b0591b9e99
                                              • Instruction ID: f1453b866cfd8fc22c6920f99f07a53ac275c628ed55b0e7cef54d2c7fa8ea33
                                              • Opcode Fuzzy Hash: 827a25111a2056ddb2d2612f23ff2c0bd31a640ef6514ebf13adc7b0591b9e99
                                              • Instruction Fuzzy Hash: 7E81E075D0026DDFDB20CFA4C980BEEBBB1BB49304F4491AAE549B7220DB709A85CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E721C70, Relevance: 1.7, APIs: 1, Instructions: 222processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0E721E4C
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 3a2b3ddccad72505e425f221a49ba5854131328059353b36a80df63b26ac30b7
                                              • Instruction ID: 9267ec55a8aa472c0da8dfcad1d83635500b4caec85b4e3f3ad269adcd546c17
                                              • Opcode Fuzzy Hash: 3a2b3ddccad72505e425f221a49ba5854131328059353b36a80df63b26ac30b7
                                              • Instruction Fuzzy Hash: 5C81E171D0026DDFDB20CFA5C880BEEBBB1BB49304F4091AAE548B7220DB309A85CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02BC80FC, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 02BC9681
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908643181.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: c5d9b819e0c2354358c1f1ed6a6880523e278ee1a7bb1ef2b3e6e889ad6eaa95
                                              • Instruction ID: 2a357b684d48c4437c91ee2ee9fd46b5115331b0b677a9fc7c3f21c4dbf34f1e
                                              • Opcode Fuzzy Hash: c5d9b819e0c2354358c1f1ed6a6880523e278ee1a7bb1ef2b3e6e889ad6eaa95
                                              • Instruction Fuzzy Hash: 9B510471D0422CCFDB20DFA4C884BDEBBB5BF49304F5180AAD509AB251DB716A89CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E722408, Relevance: 1.6, APIs: 1, Instructions: 114injectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0E7224E6
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: a46102d123d1b665b1d0047248f64949d1728c45ce916ce30bfb80693c5aabb1
                                              • Instruction ID: de6b1b35f7358df23e988ee3dcedf18b2ea5e7bd83c518c50909821b0c847fd6
                                              • Opcode Fuzzy Hash: a46102d123d1b665b1d0047248f64949d1728c45ce916ce30bfb80693c5aabb1
                                              • Instruction Fuzzy Hash: 884189B5D01258DFCB10CFA9D984ADDFBF1BB09310F24902AE918B7210D374AA45CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E722410, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0E7224E6
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: b62a7d570911d1b9a35565d2c3d236ecf0fa4fd475aea1e228de167c4a134c15
                                              • Instruction ID: ace3800831dbcbe723ccdb4f194ef3d731eec97b0888acf31bcfd5675ba2275c
                                              • Opcode Fuzzy Hash: b62a7d570911d1b9a35565d2c3d236ecf0fa4fd475aea1e228de167c4a134c15
                                              • Instruction Fuzzy Hash: A34178B5D01258DFCB10CFAAD984ADEFBF1BB49314F24902AE818B7210D374AA45CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02BC017E, Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                              Download Yara Rule
                                              APIs
                                              • OutputDebugStringW.KERNELBASE(?), ref: 02BC402A
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908643181.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                              Similarity
                                              • API ID: DebugOutputString
                                              • String ID:
                                              • API String ID: 1166629820-0
                                              • Opcode ID: 9339490aca51ffc0c110d8459e0143c9401feb9839fbe5176c6190411a6048d8
                                              • Instruction ID: b071f3c77f603e07d1230f33e105a9e2af2587c923605b6ec53ba90d91d76add
                                              • Opcode Fuzzy Hash: 9339490aca51ffc0c110d8459e0143c9401feb9839fbe5176c6190411a6048d8
                                              • Instruction Fuzzy Hash: ED4132B0D082589FCB10CFA9D484ADEFBF0EF49310F1584AAE854B7251D331A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E7221D9, Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0E722295
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: f15c361a9a858009221f2c4faa56c17f93c21740497a2740eb4917e52e492b85
                                              • Instruction ID: b8bcacbcedafd298758416bee235a819e1b78704afbaccf2c2b2af07c056b89a
                                              • Opcode Fuzzy Hash: f15c361a9a858009221f2c4faa56c17f93c21740497a2740eb4917e52e492b85
                                              • Instruction Fuzzy Hash: 994188B9D04258DFCF10CFAAD584AEEFBB1BB09310F14902AE854B7210D335AA45CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E7221E0, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0E722295
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: b2335baae882ce04facabdd273eeff635490355d47022e7915e514366c2c9e09
                                              • Instruction ID: c20ea63b37cd18c4fc380d5ef93ba5bd44fe3f94f06f56fa043355b700f2def4
                                              • Opcode Fuzzy Hash: b2335baae882ce04facabdd273eeff635490355d47022e7915e514366c2c9e09
                                              • Instruction Fuzzy Hash: D34177B9D042589FCF10CFAAD984AEEFBB1BB09310F10902AE814B7210D335AA45CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E7222F8, Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0E7223AD
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: d05046a7d2bdf89da8c20237213ce388d63e003e7a4be07457ef47d206fe2547
                                              • Instruction ID: 64fbe89cbd6c2330b35dba5cca8b90c6a2d39a2d6a9e71987725e9c394f60b2f
                                              • Opcode Fuzzy Hash: d05046a7d2bdf89da8c20237213ce388d63e003e7a4be07457ef47d206fe2547
                                              • Instruction Fuzzy Hash: C63166B9D01258DFCF10CFA9E984A9EFBB1BB49310F10A02AE814B7310D735A945CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E722300, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0E7223AD
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: b1871e57bbaef3cc51550f051e441e8e4e80acc5b44e1916d9014dd03511c8b2
                                              • Instruction ID: 50155ad3ed5dd5d6bad57c328ba894880364961c613a8f3075f365c64d309277
                                              • Opcode Fuzzy Hash: b1871e57bbaef3cc51550f051e441e8e4e80acc5b44e1916d9014dd03511c8b2
                                              • Instruction Fuzzy Hash: 653155B9D042589FCF10CFAAD984A9EFBB5BB59310F10A02AE814B7320D735A945CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02BCCD60, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(?,?,?), ref: 02BCDFA2
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908643181.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 4a1a724c8b4d98af2c439413a0f0628b7536e736c69f44978ba4df9e55a69fdc
                                              • Instruction ID: 59131a1c041fc553312094ccd8e778726f68158d9da8093a7fe4d65ec6bc66b3
                                              • Opcode Fuzzy Hash: 4a1a724c8b4d98af2c439413a0f0628b7536e736c69f44978ba4df9e55a69fdc
                                              • Instruction Fuzzy Hash: 1A4197B9D042599FCF10CFA9D484AAEFBF0BB49314F14906AE818B7210D374A946CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02BC2C52, Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02BC2CFF
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908643181.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 25dc7e46a031378196aa5f20618253cce2088c2f8745654d33cba309e40ce00a
                                              • Instruction ID: f29d6f9357507eb7b97409924da009fe995c37e2d3b32aa525a5eda52f076b01
                                              • Opcode Fuzzy Hash: 25dc7e46a031378196aa5f20618253cce2088c2f8745654d33cba309e40ce00a
                                              • Instruction Fuzzy Hash: B131A7B9D042589FCF14CFA9E484AEEFBB0BB59310F24906AE814B7310C774A945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02BC2C58, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02BC2CFF
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908643181.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: c1237bf254664c1fa8ab049ab2cf18f7bc8e5fd98694f9619a6f32406b9ce0b5
                                              • Instruction ID: b04fcc1d610df95e6b71cfa4f8f92a00a275ae308c738d6575e58d8900e9d083
                                              • Opcode Fuzzy Hash: c1237bf254664c1fa8ab049ab2cf18f7bc8e5fd98694f9619a6f32406b9ce0b5
                                              • Instruction Fuzzy Hash: B33199B9D042589FCF14CFA9D584AEEFBB0BB19310F24906AE814B7310D774A945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E7220C1, Relevance: 1.6, APIs: 1, Instructions: 93threadinjectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetThreadContext.KERNELBASE(?,?), ref: 0E72217A
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: ContextThread
                                              • String ID:
                                              • API String ID: 1591575202-0
                                              • Opcode ID: aefbf757785d98c93a93d22d07e70c67f3dd19f1afd1fb5d94cd78a3e1febc27
                                              • Instruction ID: 100c39cd8c14b27c829ca0ec0e2da2c62f618c933391f833b90b9780270d14f6
                                              • Opcode Fuzzy Hash: aefbf757785d98c93a93d22d07e70c67f3dd19f1afd1fb5d94cd78a3e1febc27
                                              • Instruction Fuzzy Hash: 5F419BB5D012589FDB10CFAAD984ADEFBF1BB49314F14802AE518B7320D778AA45CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E7220C8, Relevance: 1.6, APIs: 1, Instructions: 90threadinjectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetThreadContext.KERNELBASE(?,?), ref: 0E72217A
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: ContextThread
                                              • String ID:
                                              • API String ID: 1591575202-0
                                              • Opcode ID: 8150b36bb630b2af66574bb44a2ba75970dd2a16302089a1e5ac0f7bba0f4bf0
                                              • Instruction ID: 5b45f63fcee7f8ba5bb1f6ad89f54955820ae0bfb055ed2c4d1441d53224a186
                                              • Opcode Fuzzy Hash: 8150b36bb630b2af66574bb44a2ba75970dd2a16302089a1e5ac0f7bba0f4bf0
                                              • Instruction Fuzzy Hash: 8D319BB5D012589FCB14CFAAD984ADEFBF1BB49314F14802AE518B7310D778AA45CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E7229E0, Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 0E722A83
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 40fbddf5d90c23cdbc2a1071c0009d309bdb63aa332a4313c5d22882d20612bd
                                              • Instruction ID: 60b2ac4df669b1623f6f007f31fc5fa14760c110e500865eef9f18abbcbfca73
                                              • Opcode Fuzzy Hash: 40fbddf5d90c23cdbc2a1071c0009d309bdb63aa332a4313c5d22882d20612bd
                                              • Instruction Fuzzy Hash: 2C3167B9D012589FCB14CFA9E584ADEFBF5AB19310F14902AE814BB320D774A945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E7229E8, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 0E722A83
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 52eff4f03b813c564d5290ca50d354eab0bbe3845107412e9257240fe0215ee9
                                              • Instruction ID: 3f10430434e9b7bece1796b99b95d4534a5b35b6bd5f3e4c3252641b04489725
                                              • Opcode Fuzzy Hash: 52eff4f03b813c564d5290ca50d354eab0bbe3845107412e9257240fe0215ee9
                                              • Instruction Fuzzy Hash: C23198B8D012589FCB10CFA9D584ADEFBF5BB49310F14902AE814B7320D334A945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02BC01EC, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                              Download Yara Rule
                                              APIs
                                              • OutputDebugStringW.KERNELBASE(?), ref: 02BC402A
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908643181.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                              Similarity
                                              • API ID: DebugOutputString
                                              • String ID:
                                              • API String ID: 1166629820-0
                                              • Opcode ID: fe01aa5ccff870cc06cdbc8f52e1789ac08c8877eeaa7d99d8bd6fedfce323f2
                                              • Instruction ID: 70fd8db2ca633e3c868d7ce28d13f904b2c119bdb4043ebf41dadf968ccd1329
                                              • Opcode Fuzzy Hash: fe01aa5ccff870cc06cdbc8f52e1789ac08c8877eeaa7d99d8bd6fedfce323f2
                                              • Instruction Fuzzy Hash: F331BCB4D042189FCB14CFAAD584ADEFBF1EB49314F14906AE818B7310D775A945CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02BC3F8B, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                              Download Yara Rule
                                              APIs
                                              • OutputDebugStringW.KERNELBASE(?), ref: 02BC402A
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908643181.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                              Similarity
                                              • API ID: DebugOutputString
                                              • String ID:
                                              • API String ID: 1166629820-0
                                              • Opcode ID: 7d58ca80545f9125343c18b9eed52308c6d9364d0b74c15930b6a61b9c818a96
                                              • Instruction ID: 374c0bdb1b6c119fde02cac87fd1ba6beb6c753e643b9013aa3b678ace8c940c
                                              • Opcode Fuzzy Hash: 7d58ca80545f9125343c18b9eed52308c6d9364d0b74c15930b6a61b9c818a96
                                              • Instruction Fuzzy Hash: D6319BB4D002189FCB14CFAAD584ADEFBF5EB49314F14906AE818B7310D775AA45CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02BCDBE8, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(?), ref: 02BCDC7A
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908643181.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: f87d0051e3b0f1184c881fc555b112675b07c7dafcc46ac58dc72e2f34b2209f
                                              • Instruction ID: 612391cda0b321b70a5d4a232303fe9c7320a129bf54b9cffb32e1048dab5bff
                                              • Opcode Fuzzy Hash: f87d0051e3b0f1184c881fc555b112675b07c7dafcc46ac58dc72e2f34b2209f
                                              • Instruction Fuzzy Hash: 0D319AB8D002199FCB14CFAAD584ADEFBF5AB49314F14906AE818B7310D374A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02BC01F8, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 02BC4106
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908643181.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: 65b001083a40769df309b037929069beb3ea8661a8e6b914dd3a0058ba4f702b
                                              • Instruction ID: 2cf6d7ee660c5eeba4542f2806c68c8e32fba5bad726347629b2b603b5820c55
                                              • Opcode Fuzzy Hash: 65b001083a40769df309b037929069beb3ea8661a8e6b914dd3a0058ba4f702b
                                              • Instruction Fuzzy Hash: 9531BBB5D042189FCB10CFA9D584AEEFBF4AB59324F14906AE814B7300D374AA85CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02BC4083, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 02BC4106
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908643181.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: dc381baa1a2d54386d4c797ec1f4946aa8a8a6a4553fcdb1882973da002fbb2c
                                              • Instruction ID: 0d0c8b9173fe8cc93e89261d3527c938bc6265b23f544dac3fb320aeb4866489
                                              • Opcode Fuzzy Hash: dc381baa1a2d54386d4c797ec1f4946aa8a8a6a4553fcdb1882973da002fbb2c
                                              • Instruction Fuzzy Hash: 3D31ACB5D042189FCB10CFA9D984AEEFBF4AB49324F14905AE814B7300D774AA85CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E722631, Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ResumeThread.KERNELBASE(?), ref: 0E7226B6
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 0ea27aa4a1459da8a54e1ec21c0f06318f6938715e6cf3ca9933e9064cbda55b
                                              • Instruction ID: abfb98c25bd2c23a6b88ffecb1818b77a14a1e83fb1a2e4f2723f87a07afe982
                                              • Opcode Fuzzy Hash: 0ea27aa4a1459da8a54e1ec21c0f06318f6938715e6cf3ca9933e9064cbda55b
                                              • Instruction Fuzzy Hash: 2A21AAB9D012189FCB10CFA9D984ADEFBF4AB49324F14906AE814B7310D734A941CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0E722638, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ResumeThread.KERNELBASE(?), ref: 0E7226B6
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.914632275.000000000E720000.00000040.00000001.sdmp, Offset: 0E720000, based on PE: false
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: c53291bb22f167c1117c64e4e8babf7ee66c54f0eb9fd86ad0ace7e61aa5b09f
                                              • Instruction ID: b1d37c1155381bc57b97b41d5654f3fee4451db7468ce5ef09337125c6b6bbcf
                                              • Opcode Fuzzy Hash: c53291bb22f167c1117c64e4e8babf7ee66c54f0eb9fd86ad0ace7e61aa5b09f
                                              • Instruction Fuzzy Hash: 0D21AAB5D002589FCB10CFA9D484ADEFBF4BB49324F14906AE814B7310D735A941CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0135D1D4, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908216998.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 269063c2c301c28c874ed8b35a84c3184226b1357158f260ef5b39e0e641cb61
                                              • Instruction ID: c6d9a0cf1fa475e8aa193ef49379f520c81f8a70ec8367f86d0e2f8968c48406
                                              • Opcode Fuzzy Hash: 269063c2c301c28c874ed8b35a84c3184226b1357158f260ef5b39e0e641cb61
                                              • Instruction Fuzzy Hash: 952107B1504204EFDB45CF94D5C0F26BBA5FB84768F24C5ADDD094B346C376D846CA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0135D01C, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908216998.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bafff592f020e988dde65739d649f1590d0a957066ba565c2450963b15d16df6
                                              • Instruction ID: bbb23d1dcad1ee2a4f72ad62fa32ccc64307f3c2a1b400a2b6ae638eba9b5b9f
                                              • Opcode Fuzzy Hash: bafff592f020e988dde65739d649f1590d0a957066ba565c2450963b15d16df6
                                              • Instruction Fuzzy Hash: 8D2103B1504204DFDB55CF54D9C0F16BBA5FB84658F20C569DD094B246C33AD807CAA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0135D006, Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908216998.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8f81c08d0ab194ff2cc8716ac51bfa1a4330b69fe567198484a77f5e93ffa7e3
                                              • Instruction ID: e836b5f111177ea0e896448ab44e4d387dd4617dd6b6b697e4c1b2873664a914
                                              • Opcode Fuzzy Hash: 8f81c08d0ab194ff2cc8716ac51bfa1a4330b69fe567198484a77f5e93ffa7e3
                                              • Instruction Fuzzy Hash: 1C219F755093808FDB12CF24D994B15BF71EB46218F28C5EAD8498B697C33AD84ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0135D1CF, Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.908216998.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bbf2c8cf6e9aa963d3f8e87034f12a02946631990a170d17c82b680eb3c0f293
                                              • Instruction ID: 74b10d489be3c530b74b69d624d8a383adeb1dc2886ba4a3d49181707069df2d
                                              • Opcode Fuzzy Hash: bbf2c8cf6e9aa963d3f8e87034f12a02946631990a170d17c82b680eb3c0f293
                                              • Instruction Fuzzy Hash: D911BB75904280DFCB52CF54C5C4B15BBB1FB84628F28C6ADDC494B656C33AD84ACBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions