Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report POSH service quotation.exe

Overview

General Information

Sample Name:POSH service quotation.exe
Analysis ID:458867
MD5:fbe4c77e66f8d27264b57e4358648de2
SHA1:6d3c4a210029e584bca436427d58930a2fc50123
SHA256:eb05092bdbc35f254d4a38fca26197482f2d81bf6ffb246f4dc7a4a5e4e250f4
Tags:exenull
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • POSH service quotation.exe (PID: 6888 cmdline: 'C:\Users\user\Desktop\POSH service quotation.exe' MD5: FBE4C77E66F8D27264B57E4358648DE2)
    • RegSvcs.exe (PID: 7096 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • NXLun.exe (PID: 6640 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NXLun.exe (PID: 5872 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "chefcomptable@ndn.edu.lb", "Password": "Lebanon-Achrafieh-39", "Host": "mail.ndn.edu.lb"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.908110927.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.908110927.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: RegSvcs.exe PID: 7096JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Process Start Without DLLShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\POSH service quotation.exe' , ParentImage: C:\Users\user\Desktop\POSH service quotation.exe, ParentProcessId: 6888, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7096
                Sigma detected: Possible Applocker BypassShow sources
                Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\POSH service quotation.exe' , ParentImage: C:\Users\user\Desktop\POSH service quotation.exe, ParentProcessId: 6888, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7096

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 2.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "chefcomptable@ndn.edu.lb", "Password": "Lebanon-Achrafieh-39", "Host": "mail.ndn.edu.lb"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: POSH service quotation.exeVirustotal: Detection: 62%Perma Link
                Source: POSH service quotation.exeMetadefender: Detection: 42%Perma Link
                Source: POSH service quotation.exeReversingLabs: Detection: 85%
                Machine Learning detection for sampleShow sources
                Source: POSH service quotation.exeJoe Sandbox ML: detected
                Source: 2.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: POSH service quotation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: POSH service quotation.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000002.911608259.00000000055EA000.00000004.00000001.sdmp, NXLun.exe, 00000009.00000000.750981319.0000000000622000.00000002.00020000.sdmp, NXLun.exe, 0000000C.00000002.770207689.0000000000412000.00000002.00020000.sdmp, NXLun.exe.2.dr
                Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.2.dr
                Source: global trafficTCP traffic: 192.168.2.4:49766 -> 160.153.246.81:587
                Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
                Source: global trafficTCP traffic: 192.168.2.4:49766 -> 160.153.246.81:587
                Source: unknownDNS traffic detected: queries for: mail.ndn.edu.lb
                Source: RegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: RegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpString found in binary or memory: http://LFVvwW.com
                Source: RegSvcs.exe, 00000002.00000002.910114344.00000000026C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: RegSvcs.exe, 00000002.00000002.911646523.000000000561F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: RegSvcs.exe, 00000002.00000002.910114344.00000000026C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: RegSvcs.exe, 00000002.00000002.910114344.00000000026C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                Source: RegSvcs.exe, 00000002.00000002.910114344.00000000026C0000.00000004.00000001.sdmpString found in binary or memory: http://mail.ndn.edu.lb
                Source: RegSvcs.exe, 00000002.00000002.910114344.00000000026C0000.00000004.00000001.sdmpString found in binary or memory: http://ndn.edu.lb
                Source: RegSvcs.exe, 00000002.00000002.910114344.00000000026C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: POSH service quotation.exe, 00000001.00000003.649817155.0000000005F7D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: POSH service quotation.exe, 00000001.00000003.646027299.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: POSH service quotation.exe, 00000001.00000003.648118497.0000000005F46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: POSH service quotation.exe, 00000001.00000003.647904795.0000000005F48000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn=
                Source: POSH service quotation.exe, 00000001.00000003.647332712.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnM
                Source: POSH service quotation.exe, 00000001.00000003.647332712.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnW
                Source: POSH service quotation.exe, 00000001.00000003.647984666.0000000005F46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnYZ
                Source: POSH service quotation.exe, 00000001.00000003.647332712.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnm
                Source: POSH service quotation.exe, 00000001.00000003.647163370.0000000005F4E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns
                Source: POSH service quotation.exe, 00000001.00000003.645712360.0000000005F43000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: POSH service quotation.exe, 00000001.00000003.645712360.0000000005F43000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com&
                Source: POSH service quotation.exe, 00000001.00000003.645712360.0000000005F43000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
                Source: POSH service quotation.exe, 00000001.00000003.645712360.0000000005F43000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comeB
                Source: RegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                Source: RegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                Source: RegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpString found in binary or memory: https://n7NI8RiXhvBEJFUh.com
                Source: RegSvcs.exe, 00000002.00000002.910114344.00000000026C0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: RegSvcs.exe, 00000002.00000002.908110927.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: RegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                Spam, unwanted Advertisements and Ransom Demands:

                barindex
                Modifies the hosts fileShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                System Summary:

                barindex
                .NET source code contains very large array initializationsShow sources
                Source: 2.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b5585DBD7u002d49ABu002d489Eu002d93C8u002d17214E637171u007d/u0033C045904u002d47E3u002d41D0u002d898Fu002dA57D1955572A.csLarge array initialization: .cctor: array initializer size 11958
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: POSH service quotation.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_021B47A02_2_021B47A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_021B3CCC2_2_021B3CCC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_021B46B02_2_021B46B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_021B54702_2_021B5470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05E056902_2_05E05690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05E0A2082_2_05E0A208
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                Source: POSH service quotation.exe, 00000001.00000000.643690380.0000000000C88000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsVolati.exe> vs POSH service quotation.exe
                Source: POSH service quotation.exeBinary or memory string: OriginalFilenameIsVolati.exe> vs POSH service quotation.exe
                Source: POSH service quotation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@2/1
                Source: C:\Users\user\Desktop\POSH service quotation.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POSH service quotation.exe.logJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeMutant created: \Sessions\1\BaseNamedObjects\sNGwwwRoQh
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_01
                Source: POSH service quotation.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\POSH service quotation.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\POSH service quotation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: POSH service quotation.exeVirustotal: Detection: 62%
                Source: POSH service quotation.exeMetadefender: Detection: 42%
                Source: POSH service quotation.exeReversingLabs: Detection: 85%
                Source: unknownProcess created: C:\Users\user\Desktop\POSH service quotation.exe 'C:\Users\user\Desktop\POSH service quotation.exe'
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\POSH service quotation.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: POSH service quotation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: POSH service quotation.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000002.911608259.00000000055EA000.00000004.00000001.sdmp, NXLun.exe, 00000009.00000000.750981319.0000000000622000.00000002.00020000.sdmp, NXLun.exe, 0000000C.00000002.770207689.0000000000412000.00000002.00020000.sdmp, NXLun.exe.2.dr
                Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.2.dr
                Source: POSH service quotation.exeStatic PE information: 0xD1177F0C [Fri Feb 28 14:19:56 2081 UTC]
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 9_2_026F0480 push 00000002h; ret 9_2_026F0490
                Source: initial sampleStatic PE information: section name: .text entropy: 7.15292949404
                Source: POSH service quotation.exe, y2ZoyqBvkiLpZynbgg/D7ZoSLyb0a4IjfA5sD.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'HqxCQBToZV', 'OPICVZLs74', 'p0qC6H7X8j', 'rGUCgNCGrm', 'w7GCI8jJoC', 'k9FCP7ZODw', 'miTC9vahs9'
                Source: POSH service quotation.exe, KmkPrjfVDLtoo8VRMk/vPqmqJwdKx859bs6ux.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wol6c2Ui4j', 'rsIJmdEnY1', 'GAJJyUbPAJ', 'L5IJHMIr0s', 'zVnJzbI5uw', 'gNdwhR7N9Z', 'rrywdQMj9N', 'UeVwxEhqjd'
                Source: POSH service quotation.exe, yZdsTn1fIO0uEjMpA7/U4Koa9e7qtBVpsEUlo.csHigh entropy of concatenated method names: 'FR1IssxZCk', 'vxoIIAJ2jB', '.ctor', 'U7WsT7PAEh', 'eGvsFp1G0G', 'CdJsqJ44W8', 'D5xsrEnpek', 'nBgsnuPHJF', 'Og9sSBR3Rw', 'tRAscLnjsm'
                Source: POSH service quotation.exe, EcCMyoxRX3aQXTYdam/MFIY6ImCGLwEB12C22.csHigh entropy of concatenated method names: '.ctor', 'w5265NI9y4', 'Dispose', 'CSu636x6XN', 'RUv68DYcEw', 'XMG6lYhkqg', 'dBP6YNkw7U', 'xuT6bFsFHU', 'YW56w4Gfkt', 'U19Ja3FNEh'
                Source: POSH service quotation.exe, FfU1aVGeRr9QdfbYaC/TsMrTyLmDlPvHxmVT4.csHigh entropy of concatenated method names: 'GjT8G8F1E6', 'nso8NbHleD', 'p4H8sfrMe3', 'yTG8AFS6TY', 'env834QU7s', 'ayO8i8lcoc', 'lhNVhuPFMj', 'jx1VGUpCw3', 'q3AVygN5Jq', '.ctor'
                Source: POSH service quotation.exe, bUkyPWh0IlQnEtT68c/lXLTMAo0Bfl8kfelPP.csHigh entropy of concatenated method names: '.ctor', 'PtcFLciRO', 'bhH2nYnkM', 'cIC4GLwEB', 'V05rBgPQ1', 'h9aOXbWd2', 'hggifABme', 'KXTS4f31L', 'Orsz28ZGP', 'disVQ8vpix'
                Source: POSH service quotation.exe, SnZOwdqgJuAJLaGk7V/CZLL3Q249Tn7XW2Yqa.csHigh entropy of concatenated method names: 'wKpIe3Fyn9', 'hFmI11IctJ', 'FvVIF83tn4', 'xZDI2rZgid', 'JiIIruLu0s', 'eBaIOWGtA5', 'CybIikiIRJ', 'QEiISHwKW1', 'ngYIzZfTeZ', 'kTgPQdeOq7'
                Source: POSH service quotation.exe, XHggc7VC3cAPY4cuB7O/DOUiTvVVahs9IWDNDwu.csHigh entropy of concatenated method names: 'afHPNGZtWU', 'E9sPAWplA9', 'WlyPJOnJEP', 'BfkPDufPlD', 'aM5PpqJwuR', 'AuvP7QHfPO', 'CnpPX9jy8J', 'AoOP5lK5oQ', 'fmIP3vsBaA', 'aeKP81c4Vv'
                Source: POSH service quotation.exe, wZgrE3V8kd9o71ocie1/QoNeMaV38oPgO5du69U.csHigh entropy of concatenated method names: '.ctor', 'k6EGQTUxqN', 'IrTGVtTLW9', 'GL9G6FOOuQ', 'JLhGgguW8R', 'M4RLSIJDf5', 'f24LcjwNO7', 'za9LzOQTWR', 'QRImpqMiwKhMc67TV3m', 'gZU6hgMu3PY732cp0rg'
                Source: POSH service quotation.exe, T5W3jAapkQDNqUJs1m/DI59kgKP2VF3S7YcpU.csHigh entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'pRSsvIDnmR', 'HAasE9ETTT', 'Dispose', 'Dispose', 'nVIsnWc8uEEhPWo1qyX', 'F3ForMcLOitKyRhFnlH', 'A3pLDZcDaRZyXQMHRjo'
                Source: POSH service quotation.exe, Rtw8G4V7nmDSEC6MrJT/RxhurcVppsnOJBQMnO8.csHigh entropy of concatenated method names: 'VbXLwnQpUp', 'dO3Lf7ZiQs', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
                Source: POSH service quotation.exe, bL1jWFUqZdwrfPiN6i/PfZmedRM73yXjeEQuJ.csHigh entropy of concatenated method names: '.ctor', 'Save', 'JPiDN6iRX', 'Load', 'oTMpA0Bfl', 'Ekf7elPPV', 'mkyXPW0Il', 'bLaqwbGo4Eukl6ve2X', 'DJyIw0ehDoZhCHiEK1', 'f7QIwXjupqY3o3kAf9'
                Source: POSH service quotation.exe, ynJT7RVBFv7n1Z2fXjk/XPeU2xVy62MpxY9dmgw.csHigh entropy of concatenated method names: 'v8n9ewKrDs', 'jxE913ShRg', 'R7Q9THJVuD', 'O3T9F1dWes', 'lUC92H6HxU', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
                Source: POSH service quotation.exe, QPFcijVAHEcgmun1vug/EX4MJgVNfB2uqsymehW.csHigh entropy of concatenated method names: '.ctor', 'RDDhpoosmI', 'X6bh7srgot', 'KVah5YudGJ', 'pXKh3tVTsg', 'get_Multiline', 'set_Multiline', 'yqkU4bvc4K', 'TPPUdHlJTv', 'YfDUWOj7FT'
                Source: POSH service quotation.exe, buyjBWWkjaeosgWhmQ/oRVHkQdv0AwAwy4LfI.csHigh entropy of concatenated method names: '.ctor', 'krjsGiUUl5', 'CDNsyVqvUQ', 'Gt3sBSHfCj', 'zjlsm7nnuX', 'J4Isxy4E3M', 'FkKOegcFkaPJB6cq2CI', 'GPwf9ac4vWgnYhaRdeZ', 'yiQDJgcHBjFqByGZtZo', 'GGCj67ck9OdGWQ6XihW'
                Source: POSH service quotation.exe, V4LOVqV5hNAS5JMscJm/Gm5Hg1VXaQ7DsdWepwD.csHigh entropy of concatenated method names: '.ctor', 'dVI5zvMEAE', 'rxk9h50uMV', 'kjqLF93yxU', 'ymNL2GqxY6', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
                Source: POSH service quotation.exe, wg4xHtVja3cr1EQHBga/MpTjsTVH8YDC2eo7Dnl.csHigh entropy of concatenated method names: 'dFdULnJRf5', 'JnwUGreDFx', 'JcNUCqZ63m', 'VXVU6s2xeZ', 'EyZUsWiQPY', 'ClUUI0NtUf', 'zmsUPf4RTl', 'PydUtGxsyU', 'OPwU9Uxf8T', 'dX7Ukly5OP'
                Source: POSH service quotation.exe, ojsFRdVEPwNIsDo8tca/d6gc9SVvDfvUnIIRqu6.csHigh entropy of concatenated method names: 'Dispose', 'uMd07FagpN', 'aew0XI2f9X', 'g8O05Kbudu', 'z7903cyACa', 'get_MinimumSize', 'set_MinimumSize', 'yAYRjdftf7', 'asVRNgD8he', 'xBNRJ9sO0r'
                Source: POSH service quotation.exe, w1p2U7VDxLHYple1GKO/OBCPblVJK9s6EjvouYo.csHigh entropy of concatenated method names: '.ctor', 's9rLE7KTDX', 'lPu5aDr30D', 'eMk5nrvTqH', 'FGkYcmpCdfP2x7V1evw', 'QaWw6bpEarKFoIgypl6', 'wqKmaipFE5d0nJWDMy0', 'Us7h5Qp4d2250FmYh0q', 'TE0MDGpHXS1X73VnUbC'
                Source: POSH service quotation.exe, jTnRyKVxm4EgAOctBsh/gNbYCmVmM5ZwO4fpJia.csHigh entropy of concatenated method names: '.ctor', 'QUhMvrRFkm', 'SpWMEgxu0t', 'fvGMCHSVJd', 'mvwM6egOy7', 'IFdMglWODr', 'RlqMsmU7qt', 'vsZMIKjDoA', 'TKXMPacRPt', 'gMOMthwZS8'
                Source: POSH service quotation.exe, AMeIPtVg9R0DtS8KHni/hiT99qV6beyplHunuRb.csHigh entropy of concatenated method names: '.ctor', 'eMV9E4aN4J', 'RAV9jIdHpc', 'gMa9AIEYwn', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'LrU3O0AF57PRqEAH1Ds', 'tkqBM4A44UMkfZwMkS7'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, y2ZoyqBvkiLpZynbgg/D7ZoSLyb0a4IjfA5sD.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'HqxCQBToZV', 'OPICVZLs74', 'p0qC6H7X8j', 'rGUCgNCGrm', 'w7GCI8jJoC', 'k9FCP7ZODw', 'miTC9vahs9'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, KmkPrjfVDLtoo8VRMk/vPqmqJwdKx859bs6ux.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wol6c2Ui4j', 'rsIJmdEnY1', 'GAJJyUbPAJ', 'L5IJHMIr0s', 'zVnJzbI5uw', 'gNdwhR7N9Z', 'rrywdQMj9N', 'UeVwxEhqjd'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, EcCMyoxRX3aQXTYdam/MFIY6ImCGLwEB12C22.csHigh entropy of concatenated method names: '.ctor', 'w5265NI9y4', 'Dispose', 'CSu636x6XN', 'RUv68DYcEw', 'XMG6lYhkqg', 'dBP6YNkw7U', 'xuT6bFsFHU', 'YW56w4Gfkt', 'U19Ja3FNEh'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, XHggc7VC3cAPY4cuB7O/DOUiTvVVahs9IWDNDwu.csHigh entropy of concatenated method names: 'afHPNGZtWU', 'E9sPAWplA9', 'WlyPJOnJEP', 'BfkPDufPlD', 'aM5PpqJwuR', 'AuvP7QHfPO', 'CnpPX9jy8J', 'AoOP5lK5oQ', 'fmIP3vsBaA', 'aeKP81c4Vv'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, T5W3jAapkQDNqUJs1m/DI59kgKP2VF3S7YcpU.csHigh entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'pRSsvIDnmR', 'HAasE9ETTT', 'Dispose', 'Dispose', 'nVIsnWc8uEEhPWo1qyX', 'F3ForMcLOitKyRhFnlH', 'A3pLDZcDaRZyXQMHRjo'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, FfU1aVGeRr9QdfbYaC/TsMrTyLmDlPvHxmVT4.csHigh entropy of concatenated method names: 'GjT8G8F1E6', 'nso8NbHleD', 'p4H8sfrMe3', 'yTG8AFS6TY', 'env834QU7s', 'ayO8i8lcoc', 'lhNVhuPFMj', 'jx1VGUpCw3', 'q3AVygN5Jq', '.ctor'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, SnZOwdqgJuAJLaGk7V/CZLL3Q249Tn7XW2Yqa.csHigh entropy of concatenated method names: 'wKpIe3Fyn9', 'hFmI11IctJ', 'FvVIF83tn4', 'xZDI2rZgid', 'JiIIruLu0s', 'eBaIOWGtA5', 'CybIikiIRJ', 'QEiISHwKW1', 'ngYIzZfTeZ', 'kTgPQdeOq7'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, bUkyPWh0IlQnEtT68c/lXLTMAo0Bfl8kfelPP.csHigh entropy of concatenated method names: '.ctor', 'PtcFLciRO', 'bhH2nYnkM', 'cIC4GLwEB', 'V05rBgPQ1', 'h9aOXbWd2', 'hggifABme', 'KXTS4f31L', 'Orsz28ZGP', 'disVQ8vpix'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, ojsFRdVEPwNIsDo8tca/d6gc9SVvDfvUnIIRqu6.csHigh entropy of concatenated method names: 'Dispose', 'uMd07FagpN', 'aew0XI2f9X', 'g8O05Kbudu', 'z7903cyACa', 'get_MinimumSize', 'set_MinimumSize', 'yAYRjdftf7', 'asVRNgD8he', 'xBNRJ9sO0r'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, V4LOVqV5hNAS5JMscJm/Gm5Hg1VXaQ7DsdWepwD.csHigh entropy of concatenated method names: '.ctor', 'dVI5zvMEAE', 'rxk9h50uMV', 'kjqLF93yxU', 'ymNL2GqxY6', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, bL1jWFUqZdwrfPiN6i/PfZmedRM73yXjeEQuJ.csHigh entropy of concatenated method names: '.ctor', 'Save', 'JPiDN6iRX', 'Load', 'oTMpA0Bfl', 'Ekf7elPPV', 'mkyXPW0Il', 'bLaqwbGo4Eukl6ve2X', 'DJyIw0ehDoZhCHiEK1', 'f7QIwXjupqY3o3kAf9'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, wZgrE3V8kd9o71ocie1/QoNeMaV38oPgO5du69U.csHigh entropy of concatenated method names: '.ctor', 'k6EGQTUxqN', 'IrTGVtTLW9', 'GL9G6FOOuQ', 'JLhGgguW8R', 'M4RLSIJDf5', 'f24LcjwNO7', 'za9LzOQTWR', 'QRImpqMiwKhMc67TV3m', 'gZU6hgMu3PY732cp0rg'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, ynJT7RVBFv7n1Z2fXjk/XPeU2xVy62MpxY9dmgw.csHigh entropy of concatenated method names: 'v8n9ewKrDs', 'jxE913ShRg', 'R7Q9THJVuD', 'O3T9F1dWes', 'lUC92H6HxU', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, QPFcijVAHEcgmun1vug/EX4MJgVNfB2uqsymehW.csHigh entropy of concatenated method names: '.ctor', 'RDDhpoosmI', 'X6bh7srgot', 'KVah5YudGJ', 'pXKh3tVTsg', 'get_Multiline', 'set_Multiline', 'yqkU4bvc4K', 'TPPUdHlJTv', 'YfDUWOj7FT'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, wg4xHtVja3cr1EQHBga/MpTjsTVH8YDC2eo7Dnl.csHigh entropy of concatenated method names: 'dFdULnJRf5', 'JnwUGreDFx', 'JcNUCqZ63m', 'VXVU6s2xeZ', 'EyZUsWiQPY', 'ClUUI0NtUf', 'zmsUPf4RTl', 'PydUtGxsyU', 'OPwU9Uxf8T', 'dX7Ukly5OP'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, Rtw8G4V7nmDSEC6MrJT/RxhurcVppsnOJBQMnO8.csHigh entropy of concatenated method names: 'VbXLwnQpUp', 'dO3Lf7ZiQs', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, jTnRyKVxm4EgAOctBsh/gNbYCmVmM5ZwO4fpJia.csHigh entropy of concatenated method names: '.ctor', 'QUhMvrRFkm', 'SpWMEgxu0t', 'fvGMCHSVJd', 'mvwM6egOy7', 'IFdMglWODr', 'RlqMsmU7qt', 'vsZMIKjDoA', 'TKXMPacRPt', 'gMOMthwZS8'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, AMeIPtVg9R0DtS8KHni/hiT99qV6beyplHunuRb.csHigh entropy of concatenated method names: '.ctor', 'eMV9E4aN4J', 'RAV9jIdHpc', 'gMa9AIEYwn', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'LrU3O0AF57PRqEAH1Ds', 'tkqBM4A44UMkfZwMkS7'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, buyjBWWkjaeosgWhmQ/oRVHkQdv0AwAwy4LfI.csHigh entropy of concatenated method names: '.ctor', 'krjsGiUUl5', 'CDNsyVqvUQ', 'Gt3sBSHfCj', 'zjlsm7nnuX', 'J4Isxy4E3M', 'FkKOegcFkaPJB6cq2CI', 'GPwf9ac4vWgnYhaRdeZ', 'yiQDJgcHBjFqByGZtZo', 'GGCj67ck9OdGWQ6XihW'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, yZdsTn1fIO0uEjMpA7/U4Koa9e7qtBVpsEUlo.csHigh entropy of concatenated method names: 'FR1IssxZCk', 'vxoIIAJ2jB', '.ctor', 'U7WsT7PAEh', 'eGvsFp1G0G', 'CdJsqJ44W8', 'D5xsrEnpek', 'nBgsnuPHJF', 'Og9sSBR3Rw', 'tRAscLnjsm'
                Source: 1.0.POSH service quotation.exe.b90000.0.unpack, w1p2U7VDxLHYple1GKO/OBCPblVJK9s6EjvouYo.csHigh entropy of concatenated method names: '.ctor', 's9rLE7KTDX', 'lPu5aDr30D', 'eMk5nrvTqH', 'FGkYcmpCdfP2x7V1evw', 'QaWw6bpEarKFoIgypl6', 'wqKmaipFE5d0nJWDMy0', 'Us7h5Qp4d2250FmYh0q', 'TE0MDGpHXS1X73VnUbC'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\POSH service quotation.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 448Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9412Jump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exe TID: 6892Thread sleep time: -42361s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exe TID: 6956Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 6960Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 5728Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\POSH service quotation.exeThread delayed: delay time: 42361Jump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RegSvcs.exe, 00000002.00000002.911397190.00000000054E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: RegSvcs.exe, 00000002.00000002.911608259.00000000055EA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllization
                Source: RegSvcs.exe, 00000002.00000002.911397190.00000000054E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: RegSvcs.exe, 00000002.00000002.911397190.00000000054E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: RegSvcs.exe, 00000002.00000002.911397190.00000000054E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Modifies the hosts fileShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                Source: RegSvcs.exe, 00000002.00000002.909066332.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: RegSvcs.exe, 00000002.00000002.909066332.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: RegSvcs.exe, 00000002.00000002.909066332.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: RegSvcs.exe, 00000002.00000002.909066332.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Users\user\Desktop\POSH service quotation.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\POSH service quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings:

                barindex
                Modifies the hosts fileShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.908110927.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.908110927.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7096, type: MEMORYSTR
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7096, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.908110927.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.908110927.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7096, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection12File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Credentials in Registry1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery111SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion131Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection12/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                POSH service quotation.exe62%VirustotalBrowse
                POSH service quotation.exe49%MetadefenderBrowse
                POSH service quotation.exe85%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                POSH service quotation.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%MetadefenderBrowse
                C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%ReversingLabs

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                2.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                ndn.edu.lb0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                https://n7NI8RiXhvBEJFUh.com0%Avira URL Cloudsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://ndn.edu.lb0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnM0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnW0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.founder.com.cn/cns0%URL Reputationsafe
                http://LFVvwW.com0%Avira URL Cloudsafe
                http://www.sajatypeworks.comeB0%Avira URL Cloudsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.sajatypeworks.coma0%URL Reputationsafe
                http://mail.ndn.edu.lb0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn=0%Avira URL Cloudsafe
                http://www.sajatypeworks.com&0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://www.founder.com.cn/cnYZ0%Avira URL Cloudsafe
                https://api.ipify.org%$0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ndn.edu.lb
                		160.153.246.81
                		truetrueunknown
                mail.ndn.edu.lb
                		unknown
                		unknowntrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://DynDns.comDynDNSRegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cnPOSH service quotation.exe, 00000001.00000003.648118497.0000000005F46000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://n7NI8RiXhvBEJFUh.comRegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://sectigo.com/CPS0RegSvcs.exe, 00000002.00000002.910114344.00000000026C0000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ndn.edu.lbRegSvcs.exe, 00000002.00000002.910114344.00000000026C0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.founder.com.cn/cnMPOSH service quotation.exe, 00000001.00000003.647332712.0000000005F47000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.founder.com.cn/cnmPOSH service quotation.exe, 00000001.00000003.647332712.0000000005F47000.00000004.00000001.sdmpfalse
                    		unknown
                    http://www.founder.com.cn/cnWPOSH service quotation.exe, 00000001.00000003.647332712.0000000005F47000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnsPOSH service quotation.exe, 00000001.00000003.647163370.0000000005F4E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://LFVvwW.comRegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sajatypeworks.comeBPOSH service quotation.exe, 00000001.00000003.645712360.0000000005F43000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		low
                    http://www.ascendercorp.com/typedesigners.htmlPOSH service quotation.exe, 00000001.00000003.649817155.0000000005F7D000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comPOSH service quotation.exe, 00000001.00000003.646027299.0000000005F5B000.00000004.00000001.sdmpfalse
                      		high
                      http://www.sajatypeworks.comaPOSH service quotation.exe, 00000001.00000003.645712360.0000000005F43000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://mail.ndn.edu.lbRegSvcs.exe, 00000002.00000002.910114344.00000000026C0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.founder.com.cn/cn=POSH service quotation.exe, 00000001.00000003.647904795.0000000005F48000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sajatypeworks.com&POSH service quotation.exe, 00000001.00000003.645712360.0000000005F43000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipRegSvcs.exe, 00000002.00000002.908110927.0000000000402000.00000040.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnYZPOSH service quotation.exe, 00000001.00000003.647984666.0000000005F46000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ipify.org%$RegSvcs.exe, 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.sajatypeworks.comPOSH service quotation.exe, 00000001.00000003.645712360.0000000005F43000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      160.153.246.81
                      		ndn.edu.lbUnited States
                      		21501GODADDY-AMSDEtrue

                      General Information

                      Joe Sandbox Version:33.0.0 White Diamond
                      Analysis ID:458867
                      Start date:03.08.2021
                      Start time:20:17:16
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 8m 6s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:POSH service quotation.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:20
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.adwa.spyw.evad.winEXE@7/6@2/1
                      EGA Information:Failed
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 44
                      • Number of non-executed functions: 2
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 168.61.161.212, 52.255.188.83, 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.50.102.62
                      • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      20:18:22API Interceptor1x Sleep call for process: POSH service quotation.exe modified
                      20:18:31API Interceptor687x Sleep call for process: RegSvcs.exe modified
                      20:18:44AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                      20:18:52AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      160.153.246.81statement.exeGet hashmaliciousBrowse
                        Invoice no SS21-22185.exeGet hashmaliciousBrowse
                          PO.exeGet hashmaliciousBrowse
                            Order - HOM-OS-20-21-5-12.exeGet hashmaliciousBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              GODADDY-AMSDENouveau bon de commande. 3007021_pdf.exeGet hashmaliciousBrowse
                              • 160.153.138.219
                              New_1007572_021.xltxGet hashmaliciousBrowse
                              • 160.153.129.234
                              ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeGet hashmaliciousBrowse
                              • 160.153.136.3
                              Purchase Requirements.exeGet hashmaliciousBrowse
                              • 160.153.136.3
                              New order.xltxGet hashmaliciousBrowse
                              • 160.153.129.234
                              statement.exeGet hashmaliciousBrowse
                              • 160.153.246.81
                              Purchase Requirements.exeGet hashmaliciousBrowse
                              • 160.153.136.3
                              Invoice no SS21-22185.exeGet hashmaliciousBrowse
                              • 160.153.246.81
                              i9Na8iof4G.exeGet hashmaliciousBrowse
                              • 160.153.136.3
                              2129-20 30% CLAIM - PO SPO21-01-072.exeGet hashmaliciousBrowse
                              • 160.153.16.6
                              AMxAyl1FvN.docGet hashmaliciousBrowse
                              • 160.153.208.149
                              M7ZGK4fBfl.exeGet hashmaliciousBrowse
                              • 160.153.136.3
                              altnp3zI5hfg3Eg.exeGet hashmaliciousBrowse
                              • 160.153.136.3
                              gqdJ6f9axq.exeGet hashmaliciousBrowse
                              • 160.153.136.3
                              YaRh8PG41y.exeGet hashmaliciousBrowse
                              • 160.153.136.3
                              2129-20 30% CLAIM - PO SPO21-01-072.exeGet hashmaliciousBrowse
                              • 160.153.16.6
                              Invoice #210722 14,890 $.exeGet hashmaliciousBrowse
                              • 160.153.136.3
                              SCAN_Wells Fargo bank payment.exeGet hashmaliciousBrowse
                              • 160.153.133.86
                              PO.exeGet hashmaliciousBrowse
                              • 160.153.246.81
                              4bTTNoUZaa.exeGet hashmaliciousBrowse
                              • 160.153.136.3

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSOA.exeGet hashmaliciousBrowse
                                epda.exeGet hashmaliciousBrowse
                                  POSH service quotation..exeGet hashmaliciousBrowse
                                    SWIFT REF GO 20210730SFT21020137.exeGet hashmaliciousBrowse
                                      HJKcEjrUuzYMV9X.exeGet hashmaliciousBrowse
                                        est pda.exeGet hashmaliciousBrowse
                                          BL COPY.exeGet hashmaliciousBrowse
                                            DOC.exeGet hashmaliciousBrowse
                                              statement.exeGet hashmaliciousBrowse
                                                PO-K-128 IAN 340854.exeGet hashmaliciousBrowse
                                                  PO#4500484210.exeGet hashmaliciousBrowse
                                                    Invoice no SS21-22185.exeGet hashmaliciousBrowse
                                                      SQycD6hL4Y.exeGet hashmaliciousBrowse
                                                        Aggiornamento ordine Quantit#U00e0__BFM Srl 117-28050-01.exeGet hashmaliciousBrowse
                                                          PAYMENT INSTRUCTIONS COPY.exeGet hashmaliciousBrowse
                                                            FINAL SHIPPING DOC..exeGet hashmaliciousBrowse
                                                              Spare Parts Requisition-003,004.exeGet hashmaliciousBrowse
                                                                PO NOAB1088 ALEMO INDUSTRIAL ENGINEERS.exeGet hashmaliciousBrowse
                                                                  Order List.exeGet hashmaliciousBrowse
                                                                    PAYMENT BANK INSTRUCTIONS COPY.exeGet hashmaliciousBrowse

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NXLun.exe.log
                                                                      Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:modified
                                                                      Size (bytes):142
                                                                      Entropy (8bit):5.090621108356562
                                                                      Encrypted:false
                                                                      SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                      MD5:8C0458BB9EA02D50565175E38D577E35
                                                                      SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                      SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                      SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POSH service quotation.exe.log
                                                                      Process:C:\Users\user\Desktop\POSH service quotation.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1216
                                                                      Entropy (8bit):5.355304211458859
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                      MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                      SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                      SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                      SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                      Malicious:true
                                                                      Reputation:high, very likely benign file
                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):45152
                                                                      Entropy (8bit):6.149629800481177
                                                                      Encrypted:false
                                                                      SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                      MD5:2867A3817C9245F7CF518524DFD18F28
                                                                      SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                      SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                      SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Joe Sandbox View:
                                                                      • Filename: SOA.exe, Detection: malicious, Browse
                                                                      • Filename: epda.exe, Detection: malicious, Browse
                                                                      • Filename: POSH service quotation..exe, Detection: malicious, Browse
                                                                      • Filename: SWIFT REF GO 20210730SFT21020137.exe, Detection: malicious, Browse
                                                                      • Filename: HJKcEjrUuzYMV9X.exe, Detection: malicious, Browse
                                                                      • Filename: est pda.exe, Detection: malicious, Browse
                                                                      • Filename: BL COPY.exe, Detection: malicious, Browse
                                                                      • Filename: DOC.exe, Detection: malicious, Browse
                                                                      • Filename: statement.exe, Detection: malicious, Browse
                                                                      • Filename: PO-K-128 IAN 340854.exe, Detection: malicious, Browse
                                                                      • Filename: PO#4500484210.exe, Detection: malicious, Browse
                                                                      • Filename: Invoice no SS21-22185.exe, Detection: malicious, Browse
                                                                      • Filename: SQycD6hL4Y.exe, Detection: malicious, Browse
                                                                      • Filename: Aggiornamento ordine Quantit#U00e0__BFM Srl 117-28050-01.exe, Detection: malicious, Browse
                                                                      • Filename: PAYMENT INSTRUCTIONS COPY.exe, Detection: malicious, Browse
                                                                      • Filename: FINAL SHIPPING DOC..exe, Detection: malicious, Browse
                                                                      • Filename: Spare Parts Requisition-003,004.exe, Detection: malicious, Browse
                                                                      • Filename: PO NOAB1088 ALEMO INDUSTRIAL ENGINEERS.exe, Detection: malicious, Browse
                                                                      • Filename: Order List.exe, Detection: malicious, Browse
                                                                      • Filename: PAYMENT BANK INSTRUCTIONS COPY.exe, Detection: malicious, Browse
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                      C:\Windows\System32\drivers\etc\hosts
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:modified
                                                                      Size (bytes):11
                                                                      Entropy (8bit):2.663532754804255
                                                                      Encrypted:false
                                                                      SSDEEP:3:iLE:iLE
                                                                      MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                      SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                      SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                      SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                      Malicious:true
                                                                      Preview: ..127.0.0.1
                                                                      \Device\ConDrv
                                                                      Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1141
                                                                      Entropy (8bit):4.44831826838854
                                                                      Encrypted:false
                                                                      SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                      MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                      SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                      SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                      SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                      Malicious:false
                                                                      Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.146711496574452
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                      File name:POSH service quotation.exe
                                                                      File size:1005568
                                                                      MD5:fbe4c77e66f8d27264b57e4358648de2
                                                                      SHA1:6d3c4a210029e584bca436427d58930a2fc50123
                                                                      SHA256:eb05092bdbc35f254d4a38fca26197482f2d81bf6ffb246f4dc7a4a5e4e250f4
                                                                      SHA512:5e5cecbdf73e6950b7c0b8984e181f85383bfee22375b9876bdd7f42f362d90c050e022de5fea420a7f63d02a3729f8376da0394e11d48ec695117ff7218016c
                                                                      SSDEEP:12288:DcR0s3mhdk4pAp/d3XhQ6NBoeTfInwAO3ZwZEex6X6jRkcTQsIjwgf3le1EfhTsw:gasee4I/d3u6NCerCDOa0ARkP/F32cn
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................N..........~l... ........@.. ....................................@................................

                                                                      File Icon

                                                                      Icon Hash:00828e8e8686b000

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x4f6c7e
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                      Time Stamp:0xD1177F0C [Fri Feb 28 14:19:56 2081 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:v4.0.30319
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xf6c300x4b.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xf80000x5c0.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xfa0000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000xf4c840xf4e00False0.686369400842data7.15292949404IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0xf80000x5c00x600False0.425130208333data4.09165938354IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0xfa0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_VERSION0xf80a00x334data
                                                                      RT_MANIFEST0xf83d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Version Infos

                                                                      DescriptionData
                                                                      Translation0x0000 0x04b0
                                                                      LegalCopyrightCopyright 2019
                                                                      Assembly Version1.0.0.0
                                                                      InternalNameIsVolati.exe
                                                                      FileVersion1.0.0.0
                                                                      CompanyName
                                                                      LegalTrademarks
                                                                      Comments
                                                                      ProductNameControlLibrary
                                                                      ProductVersion1.0.0.0
                                                                      FileDescriptionControlLibrary
                                                                      OriginalFilenameIsVolati.exe

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Aug 3, 2021 20:19:55.727636099 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:55.754004955 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:55.754156113 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:55.792501926 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:55.793375969 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:55.820009947 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:55.820411921 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:55.850832939 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:55.895809889 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:55.934561968 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:55.934619904 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:55.934670925 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:55.934685946 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:55.934705019 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:55.934848070 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:55.938410997 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:55.978076935 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:56.004870892 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:56.057631969 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:56.273515940 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:56.300081968 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:56.302927017 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:56.359771967 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:56.362921953 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:56.429588079 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:58.404012918 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:58.404932022 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:58.431566954 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:58.432451963 CEST58749766160.153.246.81192.168.2.4
                                                                      Aug 3, 2021 20:19:58.432626009 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:58.482070923 CEST49766587192.168.2.4160.153.246.81
                                                                      Aug 3, 2021 20:19:58.508667946 CEST58749766160.153.246.81192.168.2.4

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Aug 3, 2021 20:17:56.526424885 CEST4925753192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:17:56.561613083 CEST53492578.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:17:57.369895935 CEST6238953192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:17:57.396161079 CEST53623898.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:17:58.181026936 CEST4991053192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:17:58.205884933 CEST53499108.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:17:59.668344975 CEST5585453192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:17:59.696126938 CEST53558548.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:00.467626095 CEST6454953192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:00.503145933 CEST53645498.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:01.362435102 CEST6315353192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:01.398427963 CEST53631538.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:02.229716063 CEST5299153192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:02.254739046 CEST53529918.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:02.950021029 CEST5370053192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:02.983907938 CEST53537008.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:03.790205002 CEST5172653192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:03.822789907 CEST53517268.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:06.538073063 CEST5679453192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:06.565551996 CEST53567948.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:07.363991022 CEST5653453192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:07.388935089 CEST53565348.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:08.234797955 CEST5662753192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:08.267210960 CEST53566278.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:08.965172052 CEST5662153192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:08.997823954 CEST53566218.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:09.972893953 CEST6311653192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:10.000296116 CEST53631168.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:10.657464981 CEST6407853192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:10.685278893 CEST53640788.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:12.411834002 CEST6480153192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:12.436873913 CEST53648018.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:13.394529104 CEST6172153192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:13.430144072 CEST53617218.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:14.041624069 CEST5125553192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:14.066657066 CEST53512558.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:26.001394033 CEST6152253192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:26.044747114 CEST53615228.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:40.509794950 CEST5233753192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:40.569750071 CEST53523378.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:41.072607994 CEST5504653192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:41.106442928 CEST53550468.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:41.645183086 CEST4961253192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:41.665237904 CEST4928553192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:41.685843945 CEST53496128.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:41.716003895 CEST53492858.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:42.055252075 CEST5060153192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:42.087647915 CEST53506018.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:42.616462946 CEST6087553192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:42.649302006 CEST53608758.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:43.167431116 CEST5644853192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:43.192008018 CEST53564488.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:43.865648031 CEST5917253192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:43.900962114 CEST53591728.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:44.747663021 CEST6242053192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:44.780234098 CEST53624208.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:45.933136940 CEST6057953192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:45.966548920 CEST53605798.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:18:46.646364927 CEST5018353192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:18:46.681523085 CEST53501838.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:19:00.273962975 CEST6153153192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:19:00.309366941 CEST53615318.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:19:00.908595085 CEST4922853192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:19:00.955732107 CEST53492288.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:19:04.265491962 CEST5979453192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:19:04.299850941 CEST53597948.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:19:38.360157967 CEST5591653192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:19:38.410847902 CEST53559168.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:19:40.171494007 CEST5275253192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:19:40.218569040 CEST53527528.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:19:55.380009890 CEST6054253192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:19:55.626699924 CEST53605428.8.8.8192.168.2.4
                                                                      Aug 3, 2021 20:19:55.665913105 CEST6068953192.168.2.48.8.8.8
                                                                      Aug 3, 2021 20:19:55.710277081 CEST53606898.8.8.8192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Aug 3, 2021 20:19:55.380009890 CEST192.168.2.48.8.8.80x6cd1Standard query (0)mail.ndn.edu.lbA (IP address)IN (0x0001)
                                                                      Aug 3, 2021 20:19:55.665913105 CEST192.168.2.48.8.8.80x236eStandard query (0)mail.ndn.edu.lbA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Aug 3, 2021 20:19:55.626699924 CEST8.8.8.8192.168.2.40x6cd1No error (0)mail.ndn.edu.lbndn.edu.lbCNAME (Canonical name)IN (0x0001)
                                                                      Aug 3, 2021 20:19:55.626699924 CEST8.8.8.8192.168.2.40x6cd1No error (0)ndn.edu.lb160.153.246.81A (IP address)IN (0x0001)
                                                                      Aug 3, 2021 20:19:55.710277081 CEST8.8.8.8192.168.2.40x236eNo error (0)mail.ndn.edu.lbndn.edu.lbCNAME (Canonical name)IN (0x0001)
                                                                      Aug 3, 2021 20:19:55.710277081 CEST8.8.8.8192.168.2.40x236eNo error (0)ndn.edu.lb160.153.246.81A (IP address)IN (0x0001)

                                                                      SMTP Packets

                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                      Aug 3, 2021 20:19:55.792501926 CEST58749766160.153.246.81192.168.2.4220-server.insight-lb.com ESMTP Exim 4.94.2 #2 Tue, 03 Aug 2021 21:19:55 +0300
                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                      220 and/or bulk e-mail.
                                                                      Aug 3, 2021 20:19:55.793375969 CEST49766587192.168.2.4160.153.246.81EHLO 134349
                                                                      Aug 3, 2021 20:19:55.820009947 CEST58749766160.153.246.81192.168.2.4250-server.insight-lb.com Hello 134349 [84.17.52.25]
                                                                      250-SIZE 52428800
                                                                      250-8BITMIME
                                                                      250-PIPELINING
                                                                      250-PIPE_CONNECT
                                                                      250-AUTH PLAIN LOGIN
                                                                      250-STARTTLS
                                                                      250 HELP
                                                                      Aug 3, 2021 20:19:55.820411921 CEST49766587192.168.2.4160.153.246.81STARTTLS
                                                                      Aug 3, 2021 20:19:55.850832939 CEST58749766160.153.246.81192.168.2.4220 TLS go ahead

                                                                      Code Manipulations

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: POSH service quotation.exe PID: 6888 Parent PID: 5784

                                                                      General

                                                                      Start time:20:18:02
                                                                      Start date:03/08/2021
                                                                      Path:C:\Users\user\Desktop\POSH service quotation.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\POSH service quotation.exe'
                                                                      Imagebase:0xb90000
                                                                      File size:1005568 bytes
                                                                      MD5 hash:FBE4C77E66F8D27264B57E4358648DE2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: RegSvcs.exe PID: 7096 Parent PID: 6888

                                                                      General

                                                                      Start time:20:18:23
                                                                      Start date:03/08/2021
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                      Imagebase:0x10000
                                                                      File size:45152 bytes
                                                                      MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.908110927.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.908110927.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.909617305.0000000002361000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: NXLun.exe PID: 6640 Parent PID: 3424

                                                                      General

                                                                      Start time:20:18:52
                                                                      Start date:03/08/2021
                                                                      Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                      Imagebase:0x620000
                                                                      File size:45152 bytes
                                                                      MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Antivirus matches:
                                                                      • Detection: 0%, Metadefender, Browse
                                                                      • Detection: 0%, ReversingLabs
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: conhost.exe PID: 6692 Parent PID: 6640

                                                                      General

                                                                      Start time:20:18:53
                                                                      Start date:03/08/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff724c50000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: NXLun.exe PID: 5872 Parent PID: 3424

                                                                      General

                                                                      Start time:20:19:00
                                                                      Start date:03/08/2021
                                                                      Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                      Imagebase:0x410000
                                                                      File size:45152 bytes
                                                                      MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: conhost.exe PID: 6120 Parent PID: 5872

                                                                      General

                                                                      Start time:20:19:01
                                                                      Start date:03/08/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff724c50000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >

                                                                        Analysis Process: RegSvcs.exe PID: 7096 Parent PID: 6888 RegSvcs.exeCOMMON

                                                                        Executed Functions

                                                                        Function 021B46B0, Relevance: .3, Instructions: 347COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9413d526bed73d180043f778abf143dc9183e1587ee6975ec96c56f5c8e69bb5
                                                                        • Instruction ID: 7e0726dff5929920504af89a0e19e4507ff93dc71cf14796b4027063f993f060
                                                                        • Opcode Fuzzy Hash: 9413d526bed73d180043f778abf143dc9183e1587ee6975ec96c56f5c8e69bb5
                                                                        • Instruction Fuzzy Hash: 69E1C1B99843458FE719CF78E8482893BB1FBC6318F114A19D1616F2E2E7BD184ADF40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021B47A0, Relevance: .3, Instructions: 315COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6d896c6cc7248a205d0342123618c90af4e02f8694665b3c3e7cf7b45f8c3f3b
                                                                        • Instruction ID: 61fec1ffa55c036315be1f70c8477d443664c63265ea5b7ea2fc6d0037cb3dad
                                                                        • Opcode Fuzzy Hash: 6d896c6cc7248a205d0342123618c90af4e02f8694665b3c3e7cf7b45f8c3f3b
                                                                        • Instruction Fuzzy Hash: D512F4F9585752CBE318CF69E8481893BA1F7C1728F508B08D2612F6E1E7BD198ADF44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021B3CCC, Relevance: .2, Instructions: 233COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: ba5bdf0f2549e2bc9d734d54c8ba8601e52cdb6c34d50884185bdbb9cb02efd1
                                                                        • Instruction ID: 5eab0cee063fdb2d043589703e7c760e1253d2c5d6ebb33b07f74adc34d6fd86
                                                                        • Opcode Fuzzy Hash: ba5bdf0f2549e2bc9d734d54c8ba8601e52cdb6c34d50884185bdbb9cb02efd1
                                                                        • Instruction Fuzzy Hash: 6491BF35E0031A9FDB05DFB0D8549DDB7BBFF89304F658619E516AB2A0EB34A841CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021B5470, Relevance: .2, Instructions: 206COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: b1b6230b7c28632fb9fd7857ca1391e548c5572787cfb39a0db947a0cb224f02
                                                                        • Instruction ID: 91b2c8a176144c069b67af8edd34fa1e64dd6248be1a4c47e133580547fa0e10
                                                                        • Opcode Fuzzy Hash: b1b6230b7c28632fb9fd7857ca1391e548c5572787cfb39a0db947a0cb224f02
                                                                        • Instruction Fuzzy Hash: 6181C275E0031A9FCB05DFB0D8549DDBBB6FF8A304F158619E505AB2A0EB34A845CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021B6B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 021B6BB0
                                                                        • GetCurrentThread.KERNEL32 ref: 021B6BED
                                                                        • GetCurrentProcess.KERNEL32 ref: 021B6C2A
                                                                        • GetCurrentThreadId.KERNEL32 ref: 021B6C83
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID:
                                                                        • API String ID: 2063062207-0
                                                                        • Opcode ID: cd871901c36359ea0fc8cf8cbddf3b8d04d878b1408444bc15da725a522d70e2
                                                                        • Instruction ID: 637ca1a6cbff763c6a42701b96de8a7c88b36f191b2d54f469fec3a1f518b059
                                                                        • Opcode Fuzzy Hash: cd871901c36359ea0fc8cf8cbddf3b8d04d878b1408444bc15da725a522d70e2
                                                                        • Instruction Fuzzy Hash: 945156B0A002889FEB51CFA9C648BDEBBF4EF98314F248559E509A7350DB34A844CF65
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021B424C, Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 021B4216
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: 43c67603c35180f3e13be524fdec1bdb812ab8257325e86aa78da740b120ba9f
                                                                        • Instruction ID: c7f10cadfcd115313bf0969e18aba3aefce5b144beefce12c87effd38990085b
                                                                        • Opcode Fuzzy Hash: 43c67603c35180f3e13be524fdec1bdb812ab8257325e86aa78da740b120ba9f
                                                                        • Instruction Fuzzy Hash: 585194B5D002498FDB20CFA9E4957DEBBF0FF08314F14816AE855A7292D7389446CF92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021B5184, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 021B52A2
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: a754d7fcc174599dfacedcc21339b4b7e696f3832812b3a006396d598a431b18
                                                                        • Instruction ID: f3899453d3952fa8af2706f5b1669fa60ca94ded9ccbfd39aff225b3390d762a
                                                                        • Opcode Fuzzy Hash: a754d7fcc174599dfacedcc21339b4b7e696f3832812b3a006396d598a431b18
                                                                        • Instruction Fuzzy Hash: E751C0B1D00349EFDB15CFA9C984ADEBBB6FF48314F64812AE819AB210D7749845CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021B5190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 021B52A2
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: 4c8015aaf2edc22a364d55f5de090222b9070335be72dbdf675203e095b22b11
                                                                        • Instruction ID: 903c646f7a37f74f510e6732ad28ffd0255078995a013bdf2e93a786247d52d0
                                                                        • Opcode Fuzzy Hash: 4c8015aaf2edc22a364d55f5de090222b9070335be72dbdf675203e095b22b11
                                                                        • Instruction Fuzzy Hash: E441CFB5D00349EFDB15CFA9C984ADEBBB6BF48314F64812AE819AB210D7749845CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021B6964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 021B7CF9
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CallProcWindow
                                                                        • String ID:
                                                                        • API String ID: 2714655100-0
                                                                        • Opcode ID: 911dd3369f84a989930dc16ecf33e8e48debf57fde57329d5d5cdf4a087e1ce2
                                                                        • Instruction ID: be925a2c06252190233ef71a0906e14869c7c37608d715fb94f422df5931468b
                                                                        • Opcode Fuzzy Hash: 911dd3369f84a989930dc16ecf33e8e48debf57fde57329d5d5cdf4a087e1ce2
                                                                        • Instruction Fuzzy Hash: D7415CB59002499FDB15CF59C488BAAFBF5FF88314F158459D519AB360D734A841CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021B41A8, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 021B4216
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: 3e012517f0aa17684d6f9f99ca1c335c36575faf5ad307cbee3a15fc648fcf6c
                                                                        • Instruction ID: 62df2633cd88805edf9606bbb52eb7624e6b7259de3f9e6021ef0cb579ec6f47
                                                                        • Opcode Fuzzy Hash: 3e012517f0aa17684d6f9f99ca1c335c36575faf5ad307cbee3a15fc648fcf6c
                                                                        • Instruction Fuzzy Hash: E531ADB5E003458FCB05CFA9C45069EBBF0FF89214F1185AEC419AB362D7749802CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021B6D71, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 021B6DFF
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 386f47d69897dcc5a778f6d41d5877e9748a178fec3c3744c646552a490d7f01
                                                                        • Instruction ID: e8b1c7b2ad014e556e0f55959afbdad48083413ef65ad58060c7c88a14e7a54a
                                                                        • Opcode Fuzzy Hash: 386f47d69897dcc5a778f6d41d5877e9748a178fec3c3744c646552a490d7f01
                                                                        • Instruction Fuzzy Hash: CF21E5B5900249AFDB10CFA9D584ADEBBF4FF48324F14841AE914A7310D378A955CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021B6D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 021B6DFF
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 439b80077003b367322e737465f3cc895de197dfa2630d1953dcbae529628ae3
                                                                        • Instruction ID: 7de0642a840135758e204f18e7f42cdd7126a42dce801c9fe3453426b2a27363
                                                                        • Opcode Fuzzy Hash: 439b80077003b367322e737465f3cc895de197dfa2630d1953dcbae529628ae3
                                                                        • Instruction Fuzzy Hash: 7A21C4B5900249AFDB10CFAAD584ADEBBF8FF48324F14841AE954A7310D778A954CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021BBDE9, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlEncodePointer.NTDLL(00000000), ref: 021BBE72
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: EncodePointer
                                                                        • String ID:
                                                                        • API String ID: 2118026453-0
                                                                        • Opcode ID: b7fb62a0b9e0e50a689a37d84e4c5b8f9b164ebb325205f4459944dd79533050
                                                                        • Instruction ID: 7291c0046652fca3821ff6c2459a93269dc58b29f010540a633fe9f264b58b64
                                                                        • Opcode Fuzzy Hash: b7fb62a0b9e0e50a689a37d84e4c5b8f9b164ebb325205f4459944dd79533050
                                                                        • Instruction Fuzzy Hash: AE218B75944345CFDB61DF69C9883DEBBF4EB08318F24886AD485E3692C3385548CFA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05E066B8, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,05E06699,00000800), ref: 05E0672A
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.911915259.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: ac3d6610447d8956983e52e72fae4a98653adf97a14b06c5d221aa347e224537
                                                                        • Instruction ID: 1f6f96d680eca6ffc548d40c2024aa70fdd9808109109948071177a2e8cd341e
                                                                        • Opcode Fuzzy Hash: ac3d6610447d8956983e52e72fae4a98653adf97a14b06c5d221aa347e224537
                                                                        • Instruction Fuzzy Hash: 891133B69002099FDB10CFAAD488BDEFBF4FB88324F04842AE455A7610C374A544CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05E057F4, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,05E06699,00000800), ref: 05E0672A
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.911915259.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 8bd37a13f81df71f711e3f16bc5911f29b0d9ac9750d187d4c3badc5c2a18bd2
                                                                        • Instruction ID: cc13ce38ecd08592a127177d554faedcbb2f1dbfc33b91278d7cd27a7fd45aca
                                                                        • Opcode Fuzzy Hash: 8bd37a13f81df71f711e3f16bc5911f29b0d9ac9750d187d4c3badc5c2a18bd2
                                                                        • Instruction Fuzzy Hash: 031144B68002099FDB10CF9AD444BEEFBF4EB88324F04842EE555A7240C374A545CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021BBDF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlEncodePointer.NTDLL(00000000), ref: 021BBE72
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: EncodePointer
                                                                        • String ID:
                                                                        • API String ID: 2118026453-0
                                                                        • Opcode ID: 4630d9ae7635dea5db7d728a076a7891fabce10d53d05306bd8a4243bc4dd5c0
                                                                        • Instruction ID: 87d72b7e081490ddddd3c7546e401b5bf41aa22e78d0b4034b3839219b701413
                                                                        • Opcode Fuzzy Hash: 4630d9ae7635dea5db7d728a076a7891fabce10d53d05306bd8a4243bc4dd5c0
                                                                        • Instruction Fuzzy Hash: 5C117C75904349CFDB60DFAAC5487DEBBF4FB48318F24882AD945A3641C7386544CFA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 021B2F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 021B4216
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909382733.00000000021B0000.00000040.00000001.sdmp, Offset: 021B0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: afd2ee597039834e40308ea6fd01c36ef894e8e9b66858f0f95e2bd878df0e59
                                                                        • Instruction ID: 00130ffa172b515fb77b713cdb59bcdcdd1140818a3dcb1a25e72f6351e7956f
                                                                        • Opcode Fuzzy Hash: afd2ee597039834e40308ea6fd01c36ef894e8e9b66858f0f95e2bd878df0e59
                                                                        • Instruction Fuzzy Hash: D1113FB5C002498FDB10CF9AD444BDEFBF8EF88224F01846AD829B7200C378A545CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05E09FE8, Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleInitialize.OLE32(00000000), ref: 05E0A045
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.911915259.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Initialize
                                                                        • String ID:
                                                                        • API String ID: 2538663250-0
                                                                        • Opcode ID: b72855eaa80586aa4103248da46d2e6eb6a435866eb057d256769d2489f441af
                                                                        • Instruction ID: d3cac1b46104f5ad87099350f0168f634fd486deff1a55a48ebc507fcf6a0d1c
                                                                        • Opcode Fuzzy Hash: b72855eaa80586aa4103248da46d2e6eb6a435866eb057d256769d2489f441af
                                                                        • Instruction Fuzzy Hash: C81103B59042489FDB20DF9AD448BDEBFF8FB48324F148429E559A3640D379A944CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05E09090, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleInitialize.OLE32(00000000), ref: 05E0A045
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.911915259.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Initialize
                                                                        • String ID:
                                                                        • API String ID: 2538663250-0
                                                                        • Opcode ID: 061c34cb099c18b4834df619754c52e5049defda0c9926e4828fddc397c456f7
                                                                        • Instruction ID: 0c6b2996e9ee1b9f123148cdb3cb5727f5d2742240cfd4d1c1bed6601993f164
                                                                        • Opcode Fuzzy Hash: 061c34cb099c18b4834df619754c52e5049defda0c9926e4828fddc397c456f7
                                                                        • Instruction Fuzzy Hash: 9F1145B4804349CFDB10CF99D444BDEBBF4EB48324F148429D559B3240D778A944CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 020CD53C, Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909181782.00000000020CD000.00000040.00000001.sdmp, Offset: 020CD000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d8e2cb5fbcb96fa35a363735279815d7c210eb4f4513a4caea1cc1879ad0e552
                                                                        • Instruction ID: 0353642f43ee7552fb5bd1630ac6762e843491f1882c99866043817b6f0fb12d
                                                                        • Opcode Fuzzy Hash: d8e2cb5fbcb96fa35a363735279815d7c210eb4f4513a4caea1cc1879ad0e552
                                                                        • Instruction Fuzzy Hash: 4021A1B2504344EFDB05DF14D9C0B2EBBA5FB88228F34867DE9054B246C336D956DAA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 020DD01C, Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909206908.00000000020DD000.00000040.00000001.sdmp, Offset: 020DD000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ca5db295f099b893cac3184fa76a0de6dcac5846764f4259989ad71e775b153c
                                                                        • Instruction ID: f91fc5262d6f4e7df5ffa886ba9572bf666c8f1539d128fb1a1996e67459b70f
                                                                        • Opcode Fuzzy Hash: ca5db295f099b893cac3184fa76a0de6dcac5846764f4259989ad71e775b153c
                                                                        • Instruction Fuzzy Hash: 972137B2508340DFDB11CF14D8C0B16BFA5FBC4314F64CA69D9494B246C336D807DA61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 020DD006, Relevance: .1, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909206908.00000000020DD000.00000040.00000001.sdmp, Offset: 020DD000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 30f93384d3d3eda1f0304181fe026ede104220514e0b9387867707af8f27f7a4
                                                                        • Instruction ID: 0827106637dc930a90474790870c067b600a3affffef48206d184255e21cddd6
                                                                        • Opcode Fuzzy Hash: 30f93384d3d3eda1f0304181fe026ede104220514e0b9387867707af8f27f7a4
                                                                        • Instruction Fuzzy Hash: 1D21C6765093808FDB13CF20D594715BFB1EB85214F28C5DAD8498B697C33AD40ACB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 020CD537, Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.909181782.00000000020CD000.00000040.00000001.sdmp, Offset: 020CD000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                                                        • Instruction ID: 18fb4a596b12df45c3d4669e5c9baf9d0069893160685fff02fbdc143045f772
                                                                        • Opcode Fuzzy Hash: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                                                        • Instruction Fuzzy Hash: 7B11B1B6504280DFDB02DF10D5C4B1ABFB2FB84324F2486ADD8494B616C33AD556DBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 05E0A208, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.911915259.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7c4d9be2926ad9d47079aa011871618864a095d079fd3a7e538afd0e354a1e53
                                                                        • Instruction ID: 30a7142c4d399452bc65b102a1240b955c4e110c983bf2538bda678e73f6222c
                                                                        • Opcode Fuzzy Hash: 7c4d9be2926ad9d47079aa011871618864a095d079fd3a7e538afd0e354a1e53
                                                                        • Instruction Fuzzy Hash: 3FF13B35A00309CFEB14DFA5C888BADB7F2BF48308F15E569D445AF2A5DB74A985CB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05E05690, Relevance: .3, Instructions: 265COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.911915259.0000000005E00000.00000040.00000001.sdmp, Offset: 05E00000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 823f6eaf71e81416099d488f9d3bb8c4de87faf760abdeb0ca498541d8823f73
                                                                        • Instruction ID: c83afe857a5b9689eb00e0619103614eae077f2fad930614af99c960fe97de95
                                                                        • Opcode Fuzzy Hash: 823f6eaf71e81416099d488f9d3bb8c4de87faf760abdeb0ca498541d8823f73
                                                                        • Instruction Fuzzy Hash: 41A16F36E00219CFCF05DFA5C8845AEBBB6FF84304B15A56BE805BB261EB75A945CF40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Analysis Process: NXLun.exe PID: 6640 Parent PID: 3424 NXLun.exeCOMMON

                                                                        Executed Functions

                                                                        Function 026F16D8, Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.753756665.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $,l
                                                                        • API String ID: 0-2860895947
                                                                        • Opcode ID: fa862cbe0cc96e77f42c0d7b26d6aeb9ad9bca6cc696a8675e62f2915a0de501
                                                                        • Instruction ID: addb3c0e262a4c14fff0586170b603c56c0770c211640ef89f82d22402605104
                                                                        • Opcode Fuzzy Hash: fa862cbe0cc96e77f42c0d7b26d6aeb9ad9bca6cc696a8675e62f2915a0de501
                                                                        • Instruction Fuzzy Hash: 7C112630B00204AFCF04EB74D415B6E77AAEB8A248F1040A9D209DB395DF71AD02CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 026F0F38, Relevance: .5, Instructions: 510COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.753756665.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 468a64585193d5e92ef283b480887c5d48f78772ed330d13ac4f2df2231cda18
                                                                        • Instruction ID: ed9592828204de0d1c414a408c0dc7763290c9697cb2c1e5b8b39d968e028b13
                                                                        • Opcode Fuzzy Hash: 468a64585193d5e92ef283b480887c5d48f78772ed330d13ac4f2df2231cda18
                                                                        • Instruction Fuzzy Hash: 4D225E34701602DFCB54EF34E49062E73A6EBC9349B2889ADD50687399DB75EC82CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 026F0728, Relevance: .4, Instructions: 417COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.753756665.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 24a14179961aca98f2e2f7dbcf816c31172bc76e5db21f40dd5b8ea177855a7d
                                                                        • Instruction ID: 63b37fd9c571b01f19d9503f8e13fea6073b5dd539753703c6b54d60720fed34
                                                                        • Opcode Fuzzy Hash: 24a14179961aca98f2e2f7dbcf816c31172bc76e5db21f40dd5b8ea177855a7d
                                                                        • Instruction Fuzzy Hash: AE81D035A00344CFDF159BB0D81869EBBA3EF88314F098969D502977AADF75AC91CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 026F0E31, Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.753756665.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3ec0438446530c17601f6321dd60aa53303b98dbb1a1b64dda6f80b6c7db5244
                                                                        • Instruction ID: 3c31ed9daa9ac7c0eba3839ae1492e2c70a771a64e60a8b653afe3ab1e45dd16
                                                                        • Opcode Fuzzy Hash: 3ec0438446530c17601f6321dd60aa53303b98dbb1a1b64dda6f80b6c7db5244
                                                                        • Instruction Fuzzy Hash: 523136757042508FCB59AB38C468A2D37E2AF8961835208B8E542CF7B6DB35EC42CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 026F0E40, Relevance: .1, Instructions: 81COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.753756665.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1cfc4c2bb0bc62586f34cb1ea7dc4913f2991cdf110e2380558f0ac94b89c8d7
                                                                        • Instruction ID: 273cc85c57dccc84f04b0a5cdaf85938a2aa860f934408c77163b80c465cd721
                                                                        • Opcode Fuzzy Hash: 1cfc4c2bb0bc62586f34cb1ea7dc4913f2991cdf110e2380558f0ac94b89c8d7
                                                                        • Instruction Fuzzy Hash: 0321F0757042108FCB58AB79D458A2D33E2AF8961935248B8E506CF776EF36EC42CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 026F17F8, Relevance: .0, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.753756665.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2645be7ffcf5758e1f8e0f148cefff6d1607241dda890a9c2d9767224aabb5ee
                                                                        • Instruction ID: 6627b276551b4adba29fe7d2f88c8118f947f92a158a2ba84fbe0e8b3f48a06e
                                                                        • Opcode Fuzzy Hash: 2645be7ffcf5758e1f8e0f148cefff6d1607241dda890a9c2d9767224aabb5ee
                                                                        • Instruction Fuzzy Hash: F9118275E002099FCB00DFB8D8459DABBB5FF89310B1486AAE518A7221E771A914CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 026F1808, Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.753756665.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3ba8be2cc8c110c7fd53674200f2cca629fe979ee2fcccfc8f37e5c3d1fb4546
                                                                        • Instruction ID: 10d2658b4246b5bfd41d624c30a4524d1aef016632ac64fd3ce11d02c4431720
                                                                        • Opcode Fuzzy Hash: 3ba8be2cc8c110c7fd53674200f2cca629fe979ee2fcccfc8f37e5c3d1fb4546
                                                                        • Instruction Fuzzy Hash: 00015276E00209DFCB40EFB5D84489EF7F5FF8D31071586A6E51597221EB31A915CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 026F0498, Relevance: .0, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.753756665.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3efd2732a78dc2aee3d64da95b07d2c426e6ddb96e6b2081e3b05281601decf9
                                                                        • Instruction ID: a512017a67696ae5ab815520353d2120565ade463cdff5a34ef3ffb68ffb8b73
                                                                        • Opcode Fuzzy Hash: 3efd2732a78dc2aee3d64da95b07d2c426e6ddb96e6b2081e3b05281601decf9
                                                                        • Instruction Fuzzy Hash: 49E09B70C45218EBCF80DBB955456DA7BF4AB09660F504075D655E310AE27147068BE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 026F0B9C, Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.753756665.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a7d5613b43daeeaa028944e0afed98606f8511bba816fc4e2059462c6d54ae01
                                                                        • Instruction ID: a273ba62786e197e76d7136ff97fb26f832f4c5ed04bb20947a39233a1c3cc05
                                                                        • Opcode Fuzzy Hash: a7d5613b43daeeaa028944e0afed98606f8511bba816fc4e2059462c6d54ae01
                                                                        • Instruction Fuzzy Hash: B3F01C71A44305CFEF14DBA4C0587AD7BF0AB08318F250898D542A77A6CFB5AD84CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 026F04A8, Relevance: .0, Instructions: 17COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.753756665.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fdeba641a6c0a0f10504a56caf8dea4c7487158e9e1c5cc44a2de3225249938f
                                                                        • Instruction ID: f71b732f373b3b19debe834f52272542db94e7c002e1164f33cf715a88f0941a
                                                                        • Opcode Fuzzy Hash: fdeba641a6c0a0f10504a56caf8dea4c7487158e9e1c5cc44a2de3225249938f
                                                                        • Instruction Fuzzy Hash: 37D067B1D41229EF8B80EFB999051DEBBF8EB48250B1045A6DA19E3205E6705A10CFD1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Analysis Process: NXLun.exe PID: 5872 Parent PID: 3424 NXLun.exeCOMMON

                                                                        Executed Functions

                                                                        Function 02560F38, Relevance: 1.8, Strings: 1, Instructions: 578COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.770692338.0000000002560000.00000040.00000001.sdmp, Offset: 02560000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $,l
                                                                        • API String ID: 0-2860895947
                                                                        • Opcode ID: 5031073bc7123cf716a2326e53311bc401e9fbc09bc66e227b04103e8b6a6235
                                                                        • Instruction ID: f9f16870709ea3da7d9bf60822ff1603145798a2239aed8fad930d9cd5b49305
                                                                        • Opcode Fuzzy Hash: 5031073bc7123cf716a2326e53311bc401e9fbc09bc66e227b04103e8b6a6235
                                                                        • Instruction Fuzzy Hash: D0324E357057018FDB55EF74E8A4A3A77A2FBC8309B10C929D506873A9DB39EC42CB94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02560728, Relevance: .3, Instructions: 300COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.770692338.0000000002560000.00000040.00000001.sdmp, Offset: 02560000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7f0bd5b9f2e10cecd3ceeb0f3542bd8d05739f3d2fd9644c1e2f7ad452b38766
                                                                        • Instruction ID: 35414819d2affb5289c496e7e9d4858dd99ba15bda01d85b7c2e18a5e92a7f63
                                                                        • Opcode Fuzzy Hash: 7f0bd5b9f2e10cecd3ceeb0f3542bd8d05739f3d2fd9644c1e2f7ad452b38766
                                                                        • Instruction Fuzzy Hash: 07314A319183548FEB16DB74D82CBEA7FB2BF48314F05866AC442676A1DB349C85CB84
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 025608F0, Relevance: .2, Instructions: 190COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.770692338.0000000002560000.00000040.00000001.sdmp, Offset: 02560000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c8d885584a9a3b007be881b6e9f75a7f65ca0c3be9468a8fa53e723a1dd507b1
                                                                        • Instruction ID: 73772361cae206c9ad9b3106780c74bc6449dcdd2a1baaa8485799e2a8042cf2
                                                                        • Opcode Fuzzy Hash: c8d885584a9a3b007be881b6e9f75a7f65ca0c3be9468a8fa53e723a1dd507b1
                                                                        • Instruction Fuzzy Hash: A571A035A043458FDB169BB4C418BAEBBE3BF88304F15C529D402677B5EF35A881DB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02560E31, Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.770692338.0000000002560000.00000040.00000001.sdmp, Offset: 02560000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3ede3fbb11c47cd0c9047aaf749fd8766f7c207ce717b5347da151feb5f5099e
                                                                        • Instruction ID: fa9b79ae69dfcb1d8be4791e4dc2dd93444ade40afa64730fdbea6eea986fe37
                                                                        • Opcode Fuzzy Hash: 3ede3fbb11c47cd0c9047aaf749fd8766f7c207ce717b5347da151feb5f5099e
                                                                        • Instruction Fuzzy Hash: B6314A757042108FC719AB78D468A6D77E1AF8961835248BDE442CF7B2DB35DC42CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02560E40, Relevance: .1, Instructions: 81COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.770692338.0000000002560000.00000040.00000001.sdmp, Offset: 02560000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 72c21ea16d70b08666cacce935aaec58ca02ca7b91f1567584dcca239a2aec23
                                                                        • Instruction ID: cb1d049812abc3943c1681f1a3718bf22d6b2ecdfc2086f1c23032e6aa99caf5
                                                                        • Opcode Fuzzy Hash: 72c21ea16d70b08666cacce935aaec58ca02ca7b91f1567584dcca239a2aec23
                                                                        • Instruction Fuzzy Hash: BD21F3757042108FC758AB79D458A2D73E2AF8961935248B8E506CF7B5DF3AEC42CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 025617F8, Relevance: .0, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.770692338.0000000002560000.00000040.00000001.sdmp, Offset: 02560000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a49d4f8a9e20e6f0d7940e0f4a5fe9bec1b299c318dc605744766618448d116b
                                                                        • Instruction ID: b656278fbaa6f9040835304f19e36737b827d30bd8f52d1d396cd2fc5eb8388c
                                                                        • Opcode Fuzzy Hash: a49d4f8a9e20e6f0d7940e0f4a5fe9bec1b299c318dc605744766618448d116b
                                                                        • Instruction Fuzzy Hash: E611A176E002499FCB40EFB4D8549EEFBF1FF8D300B10866AE51997622DB399915CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02561808, Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.770692338.0000000002560000.00000040.00000001.sdmp, Offset: 02560000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 77f1889a78123cb5c2da44a4694067cbf9b04fe0746fd07b652f3297c13e27ec
                                                                        • Instruction ID: 883e4fc586ce4d6eec2bc7ea74759ae57fecb54f86280799351bc0f2695903d4
                                                                        • Opcode Fuzzy Hash: 77f1889a78123cb5c2da44a4694067cbf9b04fe0746fd07b652f3297c13e27ec
                                                                        • Instruction Fuzzy Hash: 4A019E36E0020ADFCB40EFB9D8548AEFBF5FF8D3007108666E51897221EB35A915CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02560480, Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.770692338.0000000002560000.00000040.00000001.sdmp, Offset: 02560000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ff27330551334af61e8ceee6d23dc9edb934037783aa09acca6be0e6ee1a15aa
                                                                        • Instruction ID: a22cf16de3bec378d198272b3eb9006645885d69e5f1cab4490309771e967981
                                                                        • Opcode Fuzzy Hash: ff27330551334af61e8ceee6d23dc9edb934037783aa09acca6be0e6ee1a15aa
                                                                        • Instruction Fuzzy Hash: F1F0C261C0E3945FCB5287B459451FA3FB07A07111B0448EBC497D7493E22049098796
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02560B9C, Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.770692338.0000000002560000.00000040.00000001.sdmp, Offset: 02560000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2b77876e85839bcbe6f3b161e59f34827a47538a01a55a9ed5d52d9e385f63e1
                                                                        • Instruction ID: 1ceae4e3ce5483f5fef6f224a8ee863d0a003502e388fd943ee61b49f1943a09
                                                                        • Opcode Fuzzy Hash: 2b77876e85839bcbe6f3b161e59f34827a47538a01a55a9ed5d52d9e385f63e1
                                                                        • Instruction Fuzzy Hash: 18F01C70A04315CFEB15DBA4C05CBAD7BF0BB08218F250959D442A77A1CB75AD84CB94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 025616D8, Relevance: .0, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.770692338.0000000002560000.00000040.00000001.sdmp, Offset: 02560000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6b62750e24748535dc88655c1c2792c7898821ebbeab96856882012b8ea57dba
                                                                        • Instruction ID: 6db940d935f7d1c43b0e72e4d8398a2d2f9c80d01db0bd57eff0fedf7e1fd723
                                                                        • Opcode Fuzzy Hash: 6b62750e24748535dc88655c1c2792c7898821ebbeab96856882012b8ea57dba
                                                                        • Instruction Fuzzy Hash: BCD012357102149FD714EB79E919E557BA8AB05611F104055E508CB265DB61D814C7D1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 025604A8, Relevance: .0, Instructions: 17COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.770692338.0000000002560000.00000040.00000001.sdmp, Offset: 02560000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 95df7a56caa10c53abda13193f21ad536baa5c049249f2859f0d22f392bc10f5
                                                                        • Instruction ID: 5a637509cf07370a72433c69e8a01e721f6be9af22d53ad5236fc2538223e9e4
                                                                        • Opcode Fuzzy Hash: 95df7a56caa10c53abda13193f21ad536baa5c049249f2859f0d22f392bc10f5
                                                                        • Instruction Fuzzy Hash: BDD067B1D04229AF8B50EFFD99095EEBBF8FA08251B1045A6D919E3240E6705A11CBD1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions