Loading ...

Play interactive tourEdit tour

Windows Analysis Report Products Order.exe

Overview

General Information

Sample Name:Products Order.exe
Analysis ID:458877
MD5:7beee2584cd632154d34c65237cd5eb0
SHA1:d192b8805a1d874d480d791f673dbde77f12059b
SHA256:56390f611b9571d11cdeb128435aaf3d5b282511f4a540d81912d87ffc1d2953
Tags:exenull
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Products Order.exe (PID: 2952 cmdline: 'C:\Users\user\Desktop\Products Order.exe' MD5: 7BEEE2584CD632154D34C65237CD5EB0)
    • Products Order.exe (PID: 5888 cmdline: C:\Users\user\Desktop\Products Order.exe MD5: 7BEEE2584CD632154D34C65237CD5EB0)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ideshow@eflownutrition.com", "Password": "ngozi8989", "Host": "mail.scottbyscott.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: Products Order.exe PID: 5888JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.Products Order.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.Products Order.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 7.2.Products Order.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ideshow@eflownutrition.com", "Password": "ngozi8989", "Host": "mail.scottbyscott.com"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: Products Order.exeVirustotal: Detection: 61%Perma Link
                Source: Products Order.exeMetadefender: Detection: 45%Perma Link
                Source: Products Order.exeReversingLabs: Detection: 78%
                Machine Learning detection for sampleShow sources
                Source: Products Order.exeJoe Sandbox ML: detected
                Source: 7.2.Products Order.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: Products Order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: Products Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpString found in binary or memory: http://oGRaXU.com
                Source: Products Order.exe, 00000000.00000003.227417521.00000000062DD000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.227023489.00000000062D9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Products Order.exe, 00000000.00000003.227417521.00000000062DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Products Order.exe, 00000000.00000003.227023489.00000000062D9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersW
                Source: Products Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: Products Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com8
                Source: Products Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comW
                Source: Products Order.exe, 00000000.00000003.224020506.00000000062D4000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.223807220.00000000062D4000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Products Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn-
                Source: Products Order.exe, 00000000.00000003.224020506.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: Products Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/K
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/eta
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/w
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
                Source: Products Order.exe, 00000000.00000003.221801209.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Products Order.exe, 00000000.00000003.221801209.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com/
                Source: Products Order.exe, 00000000.00000003.222128549.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comh
                Source: Products Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Products Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kre
                Source: Products Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krthe
                Source: Products Order.exe, 00000000.00000003.222509875.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: Products Order.exe, 00000000.00000003.222544938.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn.
                Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpString found in binary or memory: https://Au1SDZgNiFJp.n
                Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpString found in binary or memory: https://Au1SDZgNiFJp.net
                Source: Products Order.exe, 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: C:\Users\user\Desktop\Products Order.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                .NET source code contains very large array initializationsShow sources
                Source: 7.2.Products Order.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCA318437u002d79D0u002d47E6u002dAD5Au002dE637674672C0u007d/u00370291D60u002d50D6u002d4282u002d9AE4u002dF343420AD8FC.csLarge array initialization: .cctor: array initializer size 11965
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: Products Order.exe
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_0154AD007_2_0154AD00
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01540D307_2_01540D30
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01546BE07_2_01546BE0
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_015437907_2_01543790
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01548D807_2_01548D80
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_0154C1887_2_0154C188
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_015450387_2_01545038
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01547A5E7_2_01547A5E
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01547A607_2_01547A60
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018B61587_2_018B6158
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018B5B217_2_018B5B21
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018B36807_2_018B3680
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018BD3EE7_2_018BD3EE
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A213687_2_01A21368
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A4C5B07_2_01A4C5B0
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A428C87_2_01A428C8
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A48EA07_2_01A48EA0
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A4E5307_2_01A4E530
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A455787_2_01A45578
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A464907_2_01A46490
                Source: Products Order.exe, 00000000.00000000.218947395.00000000010E8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBindingFla.exe> vs Products Order.exe
                Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Products Order.exe
                Source: Products Order.exe, 00000007.00000002.489342552.000000000178A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Products Order.exe
                Source: Products Order.exe, 00000007.00000002.496023425.0000000006740000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Products Order.exe
                Source: Products Order.exe, 00000007.00000000.270811026.0000000001068000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBindingFla.exe> vs Products Order.exe
                Source: Products Order.exe, 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamefGTSWhFZukHSMrbrFCgDqhElwPzfvrA.exe4 vs Products Order.exe
                Source: Products Order.exe, 00000007.00000002.489864931.00000000018A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Products Order.exe
                Source: Products Order.exeBinary or memory string: OriginalFilenameBindingFla.exe> vs Products Order.exe
                Source: Products Order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: Products Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 7.2.Products Order.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 7.2.Products Order.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
                Source: C:\Users\user\Desktop\Products Order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Products Order.exe.logJump to behavior
                Source: Products Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Products Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Products Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Products Order.exe, 00000000.00000000.218832833.0000000000FE2000.00000002.00020000.sdmp, Products Order.exe, 00000007.00000000.270686053.0000000000F62000.00000002.00020000.sdmpBinary or memory string: SELECT !{0}{1}[{2}].[ID]!{0}FROM [{1}]{2}5WHERE [{0}].[{1}ID] = {2};
                Source: Products Order.exeVirustotal: Detection: 61%
                Source: Products Order.exeMetadefender: Detection: 45%
                Source: Products Order.exeReversingLabs: Detection: 78%
                Source: unknownProcess created: C:\Users\user\Desktop\Products Order.exe 'C:\Users\user\Desktop\Products Order.exe'
                Source: C:\Users\user\Desktop\Products Order.exeProcess created: C:\Users\user\Desktop\Products Order.exe C:\Users\user\Desktop\Products Order.exe
                Source: C:\Users\user\Desktop\Products Order.exeProcess created: C:\Users\user\Desktop\Products Order.exe C:\Users\user\Desktop\Products Order.exeJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Products Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Products Order.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Products Order.exeStatic file information: File size 1071104 > 1048576
                Source: Products Order.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x104e00
                Source: Products Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Products Order.exeStatic PE information: 0xB2837D03 [Wed Nov 26 21:47:47 2064 UTC]
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018BB577 push edi; retn 0000h7_2_018BB579
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018BD3CA push ebx; retf 7_2_018BD3D9
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018B5A70 push es; ret 7_2_018B5A80
                Source: initial sampleStatic PE information: section name: .text entropy: 7.23009151105
                Source: Products Order.exe, jEJ3iSXqfk6lZpjMd1/s0Q1lMy23wLtJ5aYvV.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'jgbN2Ee7mC', 'eY4NY6BDTR', 'r8jNhYUGQW', 'rZ9NcmMoCK', 'RvGNKsD9yL', 'QY5N0DVrl6', 'orGNQsL8id'
                Source: Products Order.exe, CZDWkSxlutEmWZ8Des/LjYhvLOFbulQVHUFEL.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ftthtjKNsV', 'f7sSfvTXT9', 'vqGSsX5L7D', 'REySnMwvVc', 'a7xSzr2Lni', 'xstN2XQJav', 'Ha3NXTiuwN', 'aBXNMdIRCG'
                Source: Products Order.exe, LolhYxwjKnfDh5Lfvg/EiOTPuWehH56J2e6gk.csHigh entropy of concatenated method names: 'XsdKpJToTO', 'DWyKKCOBMb', '.ctor', 'ArEp3lTxvL', 'woypD0fUOP', 'L8Fp1AjqqS', 'MZjpRXE0mT', 'lcRpoYQMVc', 'EaxpPFcmrN', 'h49ptZxvIp'
                Source: Products Order.exe, RitTO5rInvUdtxtaI5/GLt03cLTDHJJZt4aoe.csHigh entropy of concatenated method names: '.ctor', 'aEGhHfbmyA', 'Dispose', 'QJehUNZOHu', 'Vlrh8kqQ6l', 'Xlch6fSA3v', 'xuThGKjNEa', 'C43h4OJ5la', 'wCGhO9D1w7', 'OwQSQav2uu'
                Source: Products Order.exe, aRFd54IaycYrDka8uo/SB1f1Gm9GFCkdp0CaA.csHigh entropy of concatenated method names: '.ctor', 'pjMD9y27H', 'tXGgkr5cM', 'RcTCDHJJZ', 'H03RlFNsS', 'WQ3F1jUWi', 'cMPTG6vnp', 'wixPFs0ac', 'a4OzpaEHl', 'gkBY2mC8Lh'
                Source: Products Order.exe, CjobfHSDfoL4D3dn1A/jT8ZVSfZFJS0xhiWby.csHigh entropy of concatenated method names: 'VHmLxGRbED', 'DsELadslMk', 'DTIL7bd70Y', 'wcvLyx1XRr', 'TKjLCXiU7J', 'WY6LP2GHVY', 'lbPYI22YFF', 'hMfYSemnEV', 'zR8YyOMoTd', '.ctor'
                Source: Products Order.exe, mEvtZo1S3f2PmS807p/EMHZcLg6tBVwih1naU.csHigh entropy of concatenated method names: 'VTPKWxOtOu', 'yTLKwHifd7', 'bRBKDO6vcn', 'uVqKgvWWio', 'GaRKRYZsKy', 'By2KFSaJLg', 'xNjKT4bP5C', 'DDqKPewBcY', 'i7RKz5RlnZ', 'BEP02MWQDU'
                Source: Products Order.exe, GZwBDXVOq9WPEOQSBN/pr8vCDeqm2b09CZnn2.csHigh entropy of concatenated method names: '.ctor', 'Save', 'MOQvSBNgB', 'Load', 'Tf1qG9GFC', 'JdpZ0CaAY', 'UFda54ayc', 'ghPHvlxODboG0C2DCb', 'tokp3wupnx7teMC9iD', 'xuWicpt6MnT8UqpIAj'
                Source: Products Order.exe, BGs9jPE93YkaZhXU4o/slhC4VlMdgKEy3jB8K.csHigh entropy of concatenated method names: '.ctor', 'kKHpSRMmnC', 'zq8pyUBdbf', 'aOhpXf1Klt', 'QXApLKxUNI', 'jDqprdNlI2', 'PV163Ob6dAlDkryA2Bp', 'bS30lCbky2BSsFaaoAW', 'MwI8kvbakf9nVNXChvo', 't0OJ5xbjP0KR5rjk6G9'
                Source: Products Order.exe, cmZGbTY8Zbl6eWIQRXx/AaNAGrYUblT7KK7b4Lv.csHigh entropy of concatenated method names: '.ctor', 'YD0S2X3gxc', 'mC8SYsIpwM', 'BIiShxTUdo', 'BgUScYojxn', 'PhUfPmFmkw', 'EL9ftaiNiX', 'GctfzvF3ws', 'Ckixt3AvXKY6aCuAYHw', 'BpAE9YACUrmZJy3GPVP'
                Source: Products Order.exe, ldWSQ8YH7XeS9qZer8h/H75utYYa0CILewlQ0Vo.csHigh entropy of concatenated method names: '.ctor', 'JREEzlCpyP', 'lDjT2wagwJ', 'PKSfDpVYyN', 'k1Tfgha45q', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
                Source: Products Order.exe, NRpH4BYZyrGXKZrqqLv/SvleMWYqQLrA5px6syY.csHigh entropy of concatenated method names: 'gh2fOxLTbn', 'zQdfx6cDoK', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
                Source: Products Order.exe, ArZSSGYXL5IdB5pH0YZ/tHUMADYytMpJZW2OxgV.csHigh entropy of concatenated method names: 'Kt6QWXF8N5', 'eoDQwFBAXt', 'N7fQ36uCTk', 'q43QD0UTj4', 'XjfQg5R9bN', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
                Source: Products Order.exe, a4eAFCYciwXRIvke8XM/BCgNmDYhQFiJQf76LQ7.csHigh entropy of concatenated method names: '.ctor', 'CPnQs5SfM6', 'VfiQAGhdBL', 'ovqQdlpEB2', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'PJSmeHcaKH4jqonnDSD', 'MCFunGc6e3fLfLJHAZd'
                Source: Products Order.exe, G2qbT2YvtRxukMNikbA/LgygSGYBoAp4MJcxaBq.csHigh entropy of concatenated method names: '.ctor', 'hZdfs90Xh2', 'BvoEQYfVcd', 'RQIEOBSVg1', 'YhZtwtAR6O120fCynK7', 'iUsbEfAUqROPRLjyU6w', 'tCYyXgAGWxtw5hk4Oj6', 'P2ZSENADwieZ13mVHf1', 'WdjcuUA5YmwfBySMiyE', 'IeVKBRAoP7mWuJuf5Jo'
                Source: Products Order.exe, SQ0tRPYrbQslkKNqwJb/QLhoT9YLQ3g3xPPayxk.csHigh entropy of concatenated method names: '.ctor', 'B9LMiN4v7K', 'vWqMs74H5V', 'oWJMN5GbqB', 'dkLMhrqjbi', 'rh5MccE9qP', 'KShMp4AdVg', 'AIdMKWxFxo', 'bswM0sPjGW', 'uCaM5pM5kL'
                Source: Products Order.exe, hys8cyYdCWEPtZHKPyE/W0VpBxYJSfYM5SoSBCp.csHigh entropy of concatenated method names: '.ctor', 'cRgIqNrZmw', 'jdBIZQG6w9', 'PkiIH2j1j7', 'AbOIUD12Kg', 'get_Multiline', 'set_Multiline', 'LbDVCVsVqo', 'JoTVljqfNd', 'trYVEWruLP'
                Source: Products Order.exe, Fwrc7ZYsp2tWFrurvT9/a9HxWcYiK4WifDgPB1P.csHigh entropy of concatenated method names: 'Dispose', 'I4snZbwfcu', 'lNlnabj5gU', 'N92nHUBAxj', 'MjTnUT1GUa', 'get_MinimumSize', 'set_MinimumSize', 'lWOeArWZGx', 'NukeJP7ido', 'gImeB42KB6'
                Source: Products Order.exe, YHweQvYNSoT9ZiFRU4U/bPfrGsYYL8idwlKvl9b.csHigh entropy of concatenated method names: 'Iab0JWfOJK', 'kfe0dKkLj4', 'lrk0BP3TJa', 'yHC0vc0Ml5', 'nhA0qFackr', 't070ZtGVtN', 'qdQ0aSB0W6', 'WRA0Hus0Vy', 'NJr0UJvjtE', 'EjE08Isomy'
                Source: Products Order.exe, NuASiyYANxi0P2J5eux/jNDFvWYujAkcugZCGBx.csHigh entropy of concatenated method names: 'tfZVfipv3V', 'VEVVSVSaLP', 'pDoVN5HQQd', 'bdyVhGFguJ', 'ov2VpmXiCS', 'clYVKIOPEN', 'wNLV0GXort', 'qiFV52hhJW', 'UaiVQJ8P0l', 'EB7V9Cli2x'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, jEJ3iSXqfk6lZpjMd1/s0Q1lMy23wLtJ5aYvV.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'jgbN2Ee7mC', 'eY4NY6BDTR', 'r8jNhYUGQW', 'rZ9NcmMoCK', 'RvGNKsD9yL', 'QY5N0DVrl6', 'orGNQsL8id'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, CZDWkSxlutEmWZ8Des/LjYhvLOFbulQVHUFEL.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ftthtjKNsV', 'f7sSfvTXT9', 'vqGSsX5L7D', 'REySnMwvVc', 'a7xSzr2Lni', 'xstN2XQJav', 'Ha3NXTiuwN', 'aBXNMdIRCG'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, LolhYxwjKnfDh5Lfvg/EiOTPuWehH56J2e6gk.csHigh entropy of concatenated method names: 'XsdKpJToTO', 'DWyKKCOBMb', '.ctor', 'ArEp3lTxvL', 'woypD0fUOP', 'L8Fp1AjqqS', 'MZjpRXE0mT', 'lcRpoYQMVc', 'EaxpPFcmrN', 'h49ptZxvIp'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, CjobfHSDfoL4D3dn1A/jT8ZVSfZFJS0xhiWby.csHigh entropy of concatenated method names: 'VHmLxGRbED', 'DsELadslMk', 'DTIL7bd70Y', 'wcvLyx1XRr', 'TKjLCXiU7J', 'WY6LP2GHVY', 'lbPYI22YFF', 'hMfYSemnEV', 'zR8YyOMoTd', '.ctor'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, RitTO5rInvUdtxtaI5/GLt03cLTDHJJZt4aoe.csHigh entropy of concatenated method names: '.ctor', 'aEGhHfbmyA', 'Dispose', 'QJehUNZOHu', 'Vlrh8kqQ6l', 'Xlch6fSA3v', 'xuThGKjNEa', 'C43h4OJ5la', 'wCGhO9D1w7', 'OwQSQav2uu'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, mEvtZo1S3f2PmS807p/EMHZcLg6tBVwih1naU.csHigh entropy of concatenated method names: 'VTPKWxOtOu', 'yTLKwHifd7', 'bRBKDO6vcn', 'uVqKgvWWio', 'GaRKRYZsKy', 'By2KFSaJLg', 'xNjKT4bP5C', 'DDqKPewBcY', 'i7RKz5RlnZ', 'BEP02MWQDU'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, aRFd54IaycYrDka8uo/SB1f1Gm9GFCkdp0CaA.csHigh entropy of concatenated method names: '.ctor', 'pjMD9y27H', 'tXGgkr5cM', 'RcTCDHJJZ', 'H03RlFNsS', 'WQ3F1jUWi', 'cMPTG6vnp', 'wixPFs0ac', 'a4OzpaEHl', 'gkBY2mC8Lh'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, NuASiyYANxi0P2J5eux/jNDFvWYujAkcugZCGBx.csHigh entropy of concatenated method names: 'tfZVfipv3V', 'VEVVSVSaLP', 'pDoVN5HQQd', 'bdyVhGFguJ', 'ov2VpmXiCS', 'clYVKIOPEN', 'wNLV0GXort', 'qiFV52hhJW', 'UaiVQJ8P0l', 'EB7V9Cli2x'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, hys8cyYdCWEPtZHKPyE/W0VpBxYJSfYM5SoSBCp.csHigh entropy of concatenated method names: '.ctor', 'cRgIqNrZmw', 'jdBIZQG6w9', 'PkiIH2j1j7', 'AbOIUD12Kg', 'get_Multiline', 'set_Multiline', 'LbDVCVsVqo', 'JoTVljqfNd', 'trYVEWruLP'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, BGs9jPE93YkaZhXU4o/slhC4VlMdgKEy3jB8K.csHigh entropy of concatenated method names: '.ctor', 'kKHpSRMmnC', 'zq8pyUBdbf', 'aOhpXf1Klt', 'QXApLKxUNI', 'jDqprdNlI2', 'PV163Ob6dAlDkryA2Bp', 'bS30lCbky2BSsFaaoAW', 'MwI8kvbakf9nVNXChvo', 't0OJ5xbjP0KR5rjk6G9'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, G2qbT2YvtRxukMNikbA/LgygSGYBoAp4MJcxaBq.csHigh entropy of concatenated method names: '.ctor', 'hZdfs90Xh2', 'BvoEQYfVcd', 'RQIEOBSVg1', 'YhZtwtAR6O120fCynK7', 'iUsbEfAUqROPRLjyU6w', 'tCYyXgAGWxtw5hk4Oj6', 'P2ZSENADwieZ13mVHf1', 'WdjcuUA5YmwfBySMiyE', 'IeVKBRAoP7mWuJuf5Jo'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, GZwBDXVOq9WPEOQSBN/pr8vCDeqm2b09CZnn2.csHigh entropy of concatenated method names: '.ctor', 'Save', 'MOQvSBNgB', 'Load', 'Tf1qG9GFC', 'JdpZ0CaAY', 'UFda54ayc', 'ghPHvlxODboG0C2DCb', 'tokp3wupnx7teMC9iD', 'xuWicpt6MnT8UqpIAj'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, ArZSSGYXL5IdB5pH0YZ/tHUMADYytMpJZW2OxgV.csHigh entropy of concatenated method names: 'Kt6QWXF8N5', 'eoDQwFBAXt', 'N7fQ36uCTk', 'q43QD0UTj4', 'XjfQg5R9bN', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, NRpH4BYZyrGXKZrqqLv/SvleMWYqQLrA5px6syY.csHigh entropy of concatenated method names: 'gh2fOxLTbn', 'zQdfx6cDoK', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, SQ0tRPYrbQslkKNqwJb/QLhoT9YLQ3g3xPPayxk.csHigh entropy of concatenated method names: '.ctor', 'B9LMiN4v7K', 'vWqMs74H5V', 'oWJMN5GbqB', 'dkLMhrqjbi', 'rh5MccE9qP', 'KShMp4AdVg', 'AIdMKWxFxo', 'bswM0sPjGW', 'uCaM5pM5kL'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, ldWSQ8YH7XeS9qZer8h/H75utYYa0CILewlQ0Vo.csHigh entropy of concatenated method names: '.ctor', 'JREEzlCpyP', 'lDjT2wagwJ', 'PKSfDpVYyN', 'k1Tfgha45q', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, YHweQvYNSoT9ZiFRU4U/bPfrGsYYL8idwlKvl9b.csHigh entropy of concatenated method names: 'Iab0JWfOJK', 'kfe0dKkLj4', 'lrk0BP3TJa', 'yHC0vc0Ml5', 'nhA0qFackr', 't070ZtGVtN', 'qdQ0aSB0W6', 'WRA0Hus0Vy', 'NJr0UJvjtE', 'EjE08Isomy'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, Fwrc7ZYsp2tWFrurvT9/a9HxWcYiK4WifDgPB1P.csHigh entropy of concatenated method names: 'Dispose', 'I4snZbwfcu', 'lNlnabj5gU', 'N92nHUBAxj', 'MjTnUT1GUa', 'get_MinimumSize', 'set_MinimumSize', 'lWOeArWZGx', 'NukeJP7ido', 'gImeB42KB6'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, cmZGbTY8Zbl6eWIQRXx/AaNAGrYUblT7KK7b4Lv.csHigh entropy of concatenated method names: '.ctor', 'YD0S2X3gxc', 'mC8SYsIpwM', 'BIiShxTUdo', 'BgUScYojxn', 'PhUfPmFmkw', 'EL9ftaiNiX', 'GctfzvF3ws', 'Ckixt3AvXKY6aCuAYHw', 'BpAE9YACUrmZJy3GPVP'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, a4eAFCYciwXRIvke8XM/BCgNmDYhQFiJQf76LQ7.csHigh entropy of concatenated method names: '.ctor', 'CPnQs5SfM6', 'VfiQAGhdBL', 'ovqQdlpEB2', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'PJSmeHcaKH4jqonnDSD', 'MCFunGc6e3fLfLJHAZd'
                Source: 7.2.Products Order.exe.f60000.1.unpack, jEJ3iSXqfk6lZpjMd1/s0Q1lMy23wLtJ5aYvV.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'jgbN2Ee7mC', 'eY4NY6BDTR', 'r8jNhYUGQW', 'rZ9NcmMoCK', 'RvGNKsD9yL', 'QY5N0DVrl6', 'orGNQsL8id'
                Source: 7.2.Products Order.exe.f60000.1.unpack, CZDWkSxlutEmWZ8Des/LjYhvLOFbulQVHUFEL.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ftthtjKNsV', 'f7sSfvTXT9', 'vqGSsX5L7D', 'REySnMwvVc', 'a7xSzr2Lni', 'xstN2XQJav', 'Ha3NXTiuwN', 'aBXNMdIRCG'
                Source: 7.2.Products Order.exe.f60000.1.unpack, LolhYxwjKnfDh5Lfvg/EiOTPuWehH56J2e6gk.csHigh entropy of concatenated method names: 'XsdKpJToTO', 'DWyKKCOBMb', '.ctor', 'ArEp3lTxvL', 'woypD0fUOP', 'L8Fp1AjqqS', 'MZjpRXE0mT', 'lcRpoYQMVc', 'EaxpPFcmrN', 'h49ptZxvIp'
                Source: 7.2.Products Order.exe.f60000.1.unpack, RitTO5rInvUdtxtaI5/GLt03cLTDHJJZt4aoe.csHigh entropy of concatenated method names: '.ctor', 'aEGhHfbmyA', 'Dispose', 'QJehUNZOHu', 'Vlrh8kqQ6l', 'Xlch6fSA3v', 'xuThGKjNEa', 'C43h4OJ5la', 'wCGhO9D1w7', 'OwQSQav2uu'
                Source: 7.2.Products Order.exe.f60000.1.unpack, aRFd54IaycYrDka8uo/SB1f1Gm9GFCkdp0CaA.csHigh entropy of concatenated method names: '.ctor', 'pjMD9y27H', 'tXGgkr5cM', 'RcTCDHJJZ', 'H03RlFNsS', 'WQ3F1jUWi', 'cMPTG6vnp', 'wixPFs0ac', 'a4OzpaEHl', 'gkBY2mC8Lh'
                Source: 7.2.Products Order.exe.f60000.1.unpack, CjobfHSDfoL4D3dn1A/jT8ZVSfZFJS0xhiWby.csHigh entropy of concatenated method names: 'VHmLxGRbED', 'DsELadslMk', 'DTIL7bd70Y', 'wcvLyx1XRr', 'TKjLCXiU7J', 'WY6LP2GHVY', 'lbPYI22YFF', 'hMfYSemnEV', 'zR8YyOMoTd', '.ctor'
                Source: 7.2.Products Order.exe.f60000.1.unpack, cmZGbTY8Zbl6eWIQRXx/AaNAGrYUblT7KK7b4Lv.csHigh entropy of concatenated method names: '.ctor', 'YD0S2X3gxc', 'mC8SYsIpwM', 'BIiShxTUdo', 'BgUScYojxn', 'PhUfPmFmkw', 'EL9ftaiNiX', 'GctfzvF3ws', 'Ckixt3AvXKY6aCuAYHw', 'BpAE9YACUrmZJy3GPVP'
                Source: 7.2.Products Order.exe.f60000.1.unpack, mEvtZo1S3f2PmS807p/EMHZcLg6tBVwih1naU.csHigh entropy of concatenated method names: 'VTPKWxOtOu', 'yTLKwHifd7', 'bRBKDO6vcn', 'uVqKgvWWio', 'GaRKRYZsKy', 'By2KFSaJLg', 'xNjKT4bP5C', 'DDqKPewBcY', 'i7RKz5RlnZ', 'BEP02MWQDU'
                Source: 7.2.Products Order.exe.f60000.1.unpack, G2qbT2YvtRxukMNikbA/LgygSGYBoAp4MJcxaBq.csHigh entropy of concatenated method names: '.ctor', 'hZdfs90Xh2', 'BvoEQYfVcd', 'RQIEOBSVg1', 'YhZtwtAR6O120fCynK7', 'iUsbEfAUqROPRLjyU6w', 'tCYyXgAGWxtw5hk4Oj6', 'P2ZSENADwieZ13mVHf1', 'WdjcuUA5YmwfBySMiyE', 'IeVKBRAoP7mWuJuf5Jo'
                Source: 7.2.Products Order.exe.f60000.1.unpack, Fwrc7ZYsp2tWFrurvT9/a9HxWcYiK4WifDgPB1P.csHigh entropy of concatenated method names: 'Dispose', 'I4snZbwfcu', 'lNlnabj5gU', 'N92nHUBAxj', 'MjTnUT1GUa', 'get_MinimumSize', 'set_MinimumSize', 'lWOeArWZGx', 'NukeJP7ido', 'gImeB42KB6'
                Source: 7.2.Products Order.exe.f60000.1.unpack, hys8cyYdCWEPtZHKPyE/W0VpBxYJSfYM5SoSBCp.csHigh entropy of concatenated method names: '.ctor', 'cRgIqNrZmw', 'jdBIZQG6w9', 'PkiIH2j1j7', 'AbOIUD12Kg', 'get_Multiline', 'set_Multiline', 'LbDVCVsVqo', 'JoTVljqfNd', 'trYVEWruLP'
                Source: 7.2.Products Order.exe.f60000.1.unpack, BGs9jPE93YkaZhXU4o/slhC4VlMdgKEy3jB8K.csHigh entropy of concatenated method names: '.ctor', 'kKHpSRMmnC', 'zq8pyUBdbf', 'aOhpXf1Klt', 'QXApLKxUNI', 'jDqprdNlI2', 'PV163Ob6dAlDkryA2Bp', 'bS30lCbky2BSsFaaoAW', 'MwI8kvbakf9nVNXChvo', 't0OJ5xbjP0KR5rjk6G9'
                Source: 7.2.Products Order.exe.f60000.1.unpack, SQ0tRPYrbQslkKNqwJb/QLhoT9YLQ3g3xPPayxk.csHigh entropy of concatenated method names: '.ctor', 'B9LMiN4v7K', 'vWqMs74H5V', 'oWJMN5GbqB', 'dkLMhrqjbi', 'rh5MccE9qP', 'KShMp4AdVg', 'AIdMKWxFxo', 'bswM0sPjGW', 'uCaM5pM5kL'
                Source: 7.2.Products Order.exe.f60000.1.unpack, GZwBDXVOq9WPEOQSBN/pr8vCDeqm2b09CZnn2.csHigh entropy of concatenated method names: '.ctor', 'Save', 'MOQvSBNgB', 'Load', 'Tf1qG9GFC', 'JdpZ0CaAY', 'UFda54ayc', 'ghPHvlxODboG0C2DCb', 'tokp3wupnx7teMC9iD', 'xuWicpt6MnT8UqpIAj'
                Source: 7.2.Products Order.exe.f60000.1.unpack, NRpH4BYZyrGXKZrqqLv/SvleMWYqQLrA5px6syY.csHigh entropy of concatenated method names: 'gh2fOxLTbn', 'zQdfx6cDoK', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
                Source: 7.2.Products Order.exe.f60000.1.unpack, ArZSSGYXL5IdB5pH0YZ/tHUMADYytMpJZW2OxgV.csHigh entropy of concatenated method names: 'Kt6QWXF8N5', 'eoDQwFBAXt', 'N7fQ36uCTk', 'q43QD0UTj4', 'XjfQg5R9bN', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
                Source: 7.2.Products Order.exe.f60000.1.unpack, NuASiyYANxi0P2J5eux/jNDFvWYujAkcugZCGBx.csHigh entropy of concatenated method names: 'tfZVfipv3V', 'VEVVSVSaLP', 'pDoVN5HQQd', 'bdyVhGFguJ', 'ov2VpmXiCS', 'clYVKIOPEN', 'wNLV0GXort', 'qiFV52hhJW', 'UaiVQJ8P0l', 'EB7V9Cli2x'
                Source: 7.2.Products Order.exe.f60000.1.unpack, ldWSQ8YH7XeS9qZer8h/H75utYYa0CILewlQ0Vo.csHigh entropy of concatenated method names: '.ctor', 'JREEzlCpyP', 'lDjT2wagwJ', 'PKSfDpVYyN', 'k1Tfgha45q', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
                Source: 7.2.Products Order.exe.f60000.1.unpack, YHweQvYNSoT9ZiFRU4U/bPfrGsYYL8idwlKvl9b.csHigh entropy of concatenated method names: 'Iab0JWfOJK', 'kfe0dKkLj4', 'lrk0BP3TJa', 'yHC0vc0Ml5', 'nhA0qFackr', 't070ZtGVtN', 'qdQ0aSB0W6', 'WRA0Hus0Vy', 'NJr0UJvjtE', 'EjE08Isomy'
                Source: 7.2.Products Order.exe.f60000.1.unpack, a4eAFCYciwXRIvke8XM/BCgNmDYhQFiJQf76LQ7.csHigh entropy of concatenated method names: '.ctor', 'CPnQs5SfM6', 'VfiQAGhdBL', 'ovqQdlpEB2', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'PJSmeHcaKH4jqonnDSD', 'MCFunGc6e3fLfLJHAZd'
                Source: 7.0.Products Order.exe.f60000.0.unpack, jEJ3iSXqfk6lZpjMd1/s0Q1lMy23wLtJ5aYvV.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'jgbN2Ee7mC', 'eY4NY6BDTR', 'r8jNhYUGQW', 'rZ9NcmMoCK', 'RvGNKsD9yL', 'QY5N0DVrl6', 'orGNQsL8id'
                Source: 7.0.Products Order.exe.f60000.0.unpack, CZDWkSxlutEmWZ8Des/LjYhvLOFbulQVHUFEL.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ftthtjKNsV', 'f7sSfvTXT9', 'vqGSsX5L7D', 'REySnMwvVc', 'a7xSzr2Lni', 'xstN2XQJav', 'Ha3NXTiuwN', 'aBXNMdIRCG'
                Source: 7.0.Products Order.exe.f60000.0.unpack, LolhYxwjKnfDh5Lfvg/EiOTPuWehH56J2e6gk.csHigh entropy of concatenated method names: 'XsdKpJToTO', 'DWyKKCOBMb', '.ctor', 'ArEp3lTxvL', 'woypD0fUOP', 'L8Fp1AjqqS', 'MZjpRXE0mT', 'lcRpoYQMVc', 'EaxpPFcmrN', 'h49ptZxvIp'
                Source: 7.0.Products Order.exe.f60000.0.unpack, RitTO5rInvUdtxtaI5/GLt03cLTDHJJZt4aoe.csHigh entropy of concatenated method names: '.ctor', 'aEGhHfbmyA', 'Dispose', 'QJehUNZOHu', 'Vlrh8kqQ6l', 'Xlch6fSA3v', 'xuThGKjNEa', 'C43h4OJ5la', 'wCGhO9D1w7', 'OwQSQav2uu'
                Source: 7.0.Products Order.exe.f60000.0.unpack, CjobfHSDfoL4D3dn1A/jT8ZVSfZFJS0xhiWby.csHigh entropy of concatenated method names: 'VHmLxGRbED', 'DsELadslMk', 'DTIL7bd70Y', 'wcvLyx1XRr', 'TKjLCXiU7J', 'WY6LP2GHVY', 'lbPYI22YFF', 'hMfYSemnEV', 'zR8YyOMoTd', '.ctor'
                Source: 7.0.Products Order.exe.f60000.0.unpack, aRFd54IaycYrDka8uo/SB1f1Gm9GFCkdp0CaA.csHigh entropy of concatenated method names: '.ctor', 'pjMD9y27H', 'tXGgkr5cM', 'RcTCDHJJZ', 'H03RlFNsS', 'WQ3F1jUWi', 'cMPTG6vnp', 'wixPFs0ac', 'a4OzpaEHl', 'gkBY2mC8Lh'
                Source: 7.0.Products Order.exe.f60000.0.unpack, mEvtZo1S3f2PmS807p/EMHZcLg6tBVwih1naU.csHigh entropy of concatenated method names: 'VTPKWxOtOu', 'yTLKwHifd7', 'bRBKDO6vcn', 'uVqKgvWWio', 'GaRKRYZsKy', 'By2KFSaJLg', 'xNjKT4bP5C', 'DDqKPewBcY', 'i7RKz5RlnZ', 'BEP02MWQDU'
                Source: 7.0.Products Order.exe.f60000.0.unpack, GZwBDXVOq9WPEOQSBN/pr8vCDeqm2b09CZnn2.csHigh entropy of concatenated method names: '.ctor', 'Save', 'MOQvSBNgB', 'Load', 'Tf1qG9GFC', 'JdpZ0CaAY', 'UFda54ayc', 'ghPHvlxODboG0C2DCb', 'tokp3wupnx7teMC9iD', 'xuWicpt6MnT8UqpIAj'
                Source: 7.0.Products Order.exe.f60000.0.unpack, ldWSQ8YH7XeS9qZer8h/H75utYYa0CILewlQ0Vo.csHigh entropy of concatenated method names: '.ctor', 'JREEzlCpyP', 'lDjT2wagwJ', 'PKSfDpVYyN', 'k1Tfgha45q', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
                Source: 7.0.Products Order.exe.f60000.0.unpack, BGs9jPE93YkaZhXU4o/slhC4VlMdgKEy3jB8K.csHigh entropy of concatenated method names: '.ctor', 'kKHpSRMmnC', 'zq8pyUBdbf', 'aOhpXf1Klt', 'QXApLKxUNI', 'jDqprdNlI2', 'PV163Ob6dAlDkryA2Bp', 'bS30lCbky2BSsFaaoAW', 'MwI8kvbakf9nVNXChvo', 't0OJ5xbjP0KR5rjk6G9'
                Source: 7.0.Products Order.exe.f60000.0.unpack, NRpH4BYZyrGXKZrqqLv/SvleMWYqQLrA5px6syY.csHigh entropy of concatenated method names: 'gh2fOxLTbn', 'zQdfx6cDoK', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
                Source: 7.0.Products Order.exe.f60000.0.unpack, cmZGbTY8Zbl6eWIQRXx/AaNAGrYUblT7KK7b4Lv.csHigh entropy of concatenated method names: '.ctor', 'YD0S2X3gxc', 'mC8SYsIpwM', 'BIiShxTUdo', 'BgUScYojxn', 'PhUfPmFmkw', 'EL9ftaiNiX', 'GctfzvF3ws', 'Ckixt3AvXKY6aCuAYHw', 'BpAE9YACUrmZJy3GPVP'
                Source: 7.0.Products Order.exe.f60000.0.unpack, G2qbT2YvtRxukMNikbA/LgygSGYBoAp4MJcxaBq.csHigh entropy of concatenated method names: '.ctor', 'hZdfs90Xh2', 'BvoEQYfVcd', 'RQIEOBSVg1', 'YhZtwtAR6O120fCynK7', 'iUsbEfAUqROPRLjyU6w', 'tCYyXgAGWxtw5hk4Oj6', 'P2ZSENADwieZ13mVHf1', 'WdjcuUA5YmwfBySMiyE', 'IeVKBRAoP7mWuJuf5Jo'
                Source: 7.0.Products Order.exe.f60000.0.unpack, SQ0tRPYrbQslkKNqwJb/QLhoT9YLQ3g3xPPayxk.csHigh entropy of concatenated method names: '.ctor', 'B9LMiN4v7K', 'vWqMs74H5V', 'oWJMN5GbqB', 'dkLMhrqjbi', 'rh5MccE9qP', 'KShMp4AdVg', 'AIdMKWxFxo', 'bswM0sPjGW', 'uCaM5pM5kL'
                Source: 7.0.Products Order.exe.f60000.0.unpack, ArZSSGYXL5IdB5pH0YZ/tHUMADYytMpJZW2OxgV.csHigh entropy of concatenated method names: 'Kt6QWXF8N5', 'eoDQwFBAXt', 'N7fQ36uCTk', 'q43QD0UTj4', 'XjfQg5R9bN', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
                Source: 7.0.Products Order.exe.f60000.0.unpack, hys8cyYdCWEPtZHKPyE/W0VpBxYJSfYM5SoSBCp.csHigh entropy of concatenated method names: '.ctor', 'cRgIqNrZmw', 'jdBIZQG6w9', 'PkiIH2j1j7', 'AbOIUD12Kg', 'get_Multiline', 'set_Multiline', 'LbDVCVsVqo', 'JoTVljqfNd', 'trYVEWruLP'
                Source: 7.0.Products Order.exe.f60000.0.unpack, NuASiyYANxi0P2J5eux/jNDFvWYujAkcugZCGBx.csHigh entropy of concatenated method names: 'tfZVfipv3V', 'VEVVSVSaLP', 'pDoVN5HQQd', 'bdyVhGFguJ', 'ov2VpmXiCS', 'clYVKIOPEN', 'wNLV0GXort', 'qiFV52hhJW', 'UaiVQJ8P0l', 'EB7V9Cli2x'
                Source: 7.0.Products Order.exe.f60000.0.unpack, Fwrc7ZYsp2tWFrurvT9/a9HxWcYiK4WifDgPB1P.csHigh entropy of concatenated method names: 'Dispose', 'I4snZbwfcu', 'lNlnabj5gU', 'N92nHUBAxj', 'MjTnUT1GUa', 'get_MinimumSize', 'set_MinimumSize', 'lWOeArWZGx', 'NukeJP7ido', 'gImeB42KB6'
                Source: 7.0.Products Order.exe.f60000.0.unpack, YHweQvYNSoT9ZiFRU4U/bPfrGsYYL8idwlKvl9b.csHigh entropy of concatenated method names: 'Iab0JWfOJK', 'kfe0dKkLj4', 'lrk0BP3TJa', 'yHC0vc0Ml5', 'nhA0qFackr', 't070ZtGVtN', 'qdQ0aSB0W6', 'WRA0Hus0Vy', 'NJr0UJvjtE', 'EjE08Isomy'
                Source: 7.0.Products Order.exe.f60000.0.unpack, a4eAFCYciwXRIvke8XM/BCgNmDYhQFiJQf76LQ7.csHigh entropy of concatenated method names: '.ctor', 'CPnQs5SfM6', 'VfiQAGhdBL', 'ovqQdlpEB2', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'PJSmeHcaKH4jqonnDSD', 'MCFunGc6e3fLfLJHAZd'
                Source: C:\Users\user\Desktop\Products Order.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Products Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Products Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\Products Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeWindow / User API: threadDelayed 662Jump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeWindow / User API: threadDelayed 9180Jump to behavior
                Source: C:\Users\user\Desktop\Products Order.exe TID: 2964Thread sleep time: -43380s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exe TID: 4072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exe TID: 6136Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exe TID: 6032Thread sleep count: 662 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Products Order.exe TID: 6032Thread sleep count: 9180 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Products Order.exeThread delayed: delay time: 43380Jump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\Products Order.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01540040 LdrInitializeThunk,7_2_01540040
                Source: C:\Users\user\Desktop\Products Order.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\Products Order.exeMemory written: C:\Users\user\Desktop\Products Order.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeProcess created: C:\Users\user\Desktop\Products Order.exe C:\Users\user\Desktop\Products Order.exeJump to behavior
                Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Users\user\Desktop\Products Order.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Users\user\Desktop\Products Order.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 7.2.Products Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 7.2.Products Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Products Order.exe PID: 5888, type: MEMORYSTR
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\Products Order.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\Products Order.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Products Order.exe PID: 5888, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 7.2.Products Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 7.2.Products Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Products Order.exe PID: 5888, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery111Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelClipboard Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Products Order.exe61%VirustotalBrowse
                Products Order.exe49%MetadefenderBrowse
                Products Order.exe79%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                Products Order.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                7.2.Products Order.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.sajatypeworks.com/0%VirustotalBrowse
                http://www.sajatypeworks.com/0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/K0%URL Reputationsafe
                https://Au1SDZgNiFJp.n0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.sandoll.co.kre0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.sandoll.co.krthe0%Avira URL Cloudsafe
                http://www.fonts.comW0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/w0%Avira URL Cloudsafe
                http://oGRaXU.com0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.tiro.comn.0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/eta0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
                http://www.founder.com.cn/cn-0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/-0%URL Reputationsafe
                https://Au1SDZgNiFJp.net0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/n0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
                http://www.fonts.com80%URL Reputationsafe
                http://www.sajatypeworks.comh0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://www.founder.com.cn/cnh0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://DynDns.comDynDNSProducts Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.sajatypeworks.com/Products Order.exe, 00000000.00000003.221801209.00000000062EB000.00000004.00000001.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haProducts Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.jiyu-kobo.co.jp/KProducts Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                https://Au1SDZgNiFJp.nProducts Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.fontbureau.com/designersWProducts Order.exe, 00000000.00000003.227023489.00000000062D9000.00000004.00000001.sdmpfalse
                  high
                  http://www.tiro.comProducts Order.exe, 00000000.00000003.222509875.00000000062EB000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designersProducts Order.exe, 00000000.00000003.227417521.00000000062DD000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.227023489.00000000062D9000.00000004.00000001.sdmpfalse
                    high
                    http://www.sandoll.co.kreProducts Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/jp/Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.sandoll.co.krtheProducts Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.fonts.comWProducts Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/jp/wProducts Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://oGRaXU.comProducts Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.sajatypeworks.comProducts Order.exe, 00000000.00000003.221801209.00000000062EB000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.tiro.comn.Products Order.exe, 00000000.00000003.222544938.00000000062EB000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.founder.com.cn/cn/Products Order.exe, 00000000.00000003.224020506.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/etaProducts Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.founder.com.cn/cnProducts Order.exe, 00000000.00000003.224020506.00000000062D4000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.223807220.00000000062D4000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/xProducts Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.founder.com.cn/cn-Products Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/-Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://Au1SDZgNiFJp.netProducts Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/nProducts Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/Y0Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designers8Products Order.exe, 00000000.00000003.227417521.00000000062DD000.00000004.00000001.sdmpfalse
                      high
                      http://www.fonts.comProducts Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmpfalse
                        high
                        http://www.sandoll.co.krProducts Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.jiyu-kobo.co.jp/dProducts Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fonts.com8Products Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.sajatypeworks.comhProducts Order.exe, 00000000.00000003.222128549.00000000062EB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipProducts Order.exe, 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cnhProducts Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown

                        Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox Version:33.0.0 White Diamond
                        Analysis ID:458877
                        Start date:03.08.2021
                        Start time:20:28:19
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 7m 27s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:Products Order.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:24
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@3/1@0/0
                        EGA Information:Failed
                        HDC Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 62
                        • Number of non-executed functions: 7
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        20:29:29API Interceptor659x Sleep call for process: Products Order.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Products Order.exe.log
                        Process:C:\Users\user\Desktop\Products Order.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.355304211458859
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.224209758777507
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        • Win32 Executable (generic) a (10002005/4) 49.75%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Windows Screen Saver (13104/52) 0.07%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:Products Order.exe
                        File size:1071104
                        MD5:7beee2584cd632154d34c65237cd5eb0
                        SHA1:d192b8805a1d874d480d791f673dbde77f12059b
                        SHA256:56390f611b9571d11cdeb128435aaf3d5b282511f4a540d81912d87ffc1d2953
                        SHA512:9140b9f85f5c0a90f98a9b1c40d236430cb2d4226fa6b2a9bcb78cfbec853707b379732c1332565190f8425c204a9aa2322944b1d5ab1daf51f8b55d1b2ecee5
                        SSDEEP:24576:xPWfoD8i/dEHmi0DWPTnJa7Rd0duWLCRYbuxq:5iCWrnJQRd7bYb
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}...................N..........Nm... ........@.. ....................................@................................

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x506d4e
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0xB2837D03 [Wed Nov 26 21:47:47 2064 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v4.0.30319
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x106d000x4b.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1080000x5c8.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x10a0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x104d540x104e00False0.7057238635data7.23009151105IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0x1080000x5c80x600False0.422526041667data4.10956691089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x10a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_VERSION0x1080a00x33cdata
                        RT_MANIFEST0x1083dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyrightCopyright 2019
                        Assembly Version1.0.0.0
                        InternalNameBindingFla.exe
                        FileVersion1.0.0.0
                        CompanyName
                        LegalTrademarks
                        Comments
                        ProductNameControlLibrary
                        ProductVersion1.0.0.0
                        FileDescriptionControlLibrary
                        OriginalFilenameBindingFla.exe

                        Network Behavior

                        No network behavior found

                        Code Manipulations

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Start time:20:29:05
                        Start date:03/08/2021
                        Path:C:\Users\user\Desktop\Products Order.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\Desktop\Products Order.exe'
                        Imagebase:0xfe0000
                        File size:1071104 bytes
                        MD5 hash:7BEEE2584CD632154D34C65237CD5EB0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:low

                        General

                        Start time:20:29:30
                        Start date:03/08/2021
                        Path:C:\Users\user\Desktop\Products Order.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\Products Order.exe
                        Imagebase:0xf60000
                        File size:1071104 bytes
                        MD5 hash:7BEEE2584CD632154D34C65237CD5EB0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp, Author: Joe Security
                        Reputation:low

                        Disassembly

                        Code Analysis

                        Reset < >

                          Executed Functions

                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 67ca8ec80401badec965e3ba65df4ba32b04ec48bc8e5ff508a210d85db8ae7a
                          • Instruction ID: 6f8ee0b3bb12638a7e396e37fed05d47045d54d5494966a835127cef73b7ad4b
                          • Opcode Fuzzy Hash: 67ca8ec80401badec965e3ba65df4ba32b04ec48bc8e5ff508a210d85db8ae7a
                          • Instruction Fuzzy Hash: 8A630B31D14A198ECB11EF68C88469DF7B1FF99304F15C69AE558BB221EB70AAC4CF41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 58f0adec7039d9cfa01388721a69d5e076cbc840d292e38e6c966631f1618b55
                          • Instruction ID: 72fb2ce880f2a93d1d3d6c81c4982ef9b845b5ad4f64d9bb3f672e64cb153bee
                          • Opcode Fuzzy Hash: 58f0adec7039d9cfa01388721a69d5e076cbc840d292e38e6c966631f1618b55
                          • Instruction Fuzzy Hash: 79624831E006198FCB24EF78C95469DB7F2BF89314F1089A9D54AAB754EF309E85CB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ed6cacb9b312ff6611268888b9379f34a90187592c17fac4988056baee61cce8
                          • Instruction ID: a7a119c98b10c563c45f28cd8f6dc8c25bd81665db88a4df1fd2871b6b6446ef
                          • Opcode Fuzzy Hash: ed6cacb9b312ff6611268888b9379f34a90187592c17fac4988056baee61cce8
                          • Instruction Fuzzy Hash: 7752A030A042058FDB14DBB8C858AAEBBF2BF85308F25C469E506DB395DB35DC46CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.489993144.0000000001A40000.00000040.00000001.sdmp, Offset: 01A40000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a02050fb7dbd2fb16bce498ca38ac1164491069ab3cb684e5c4f78d6cbde25e8
                          • Instruction ID: 602d8f87874a28a5586cc1c95748ed6f1ae28e0f7280a2ac6e0757d2fcc46dc4
                          • Opcode Fuzzy Hash: a02050fb7dbd2fb16bce498ca38ac1164491069ab3cb684e5c4f78d6cbde25e8
                          • Instruction Fuzzy Hash: 00A2AF30A042088FEB25DB68C494BAFBBB2AFC9308F248169D506DF396DB75DC55CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.489993144.0000000001A40000.00000040.00000001.sdmp, Offset: 01A40000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bc521836f6b47a7b3319735bb742bac70d197b8d3e87b7eb779ac7ee997d72f4
                          • Instruction ID: 5ae7094d3da16e8b2f2c25fbac918d16c4fe0cca7cd44eee4fe1686ecac13116
                          • Opcode Fuzzy Hash: bc521836f6b47a7b3319735bb742bac70d197b8d3e87b7eb779ac7ee997d72f4
                          • Instruction Fuzzy Hash: A5720870B012048FDB25DB78C855BAEBAB2AFD9324F158069D509EF38ADB71DC428791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b54233911cc7124cf9c7f5f65988b31ebfcb76e280cc9b92ceb6507e8cbc898e
                          • Instruction ID: 4417e23bd7fc1a41ff35450a0676ff3b44e3b2a1657c8f96791a5031b813f6f9
                          • Opcode Fuzzy Hash: b54233911cc7124cf9c7f5f65988b31ebfcb76e280cc9b92ceb6507e8cbc898e
                          • Instruction Fuzzy Hash: F442A030B002059FDB24EB78DC58BAE7BE2BB89318F158469E506DB395EF35DC058B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8063270d1a26b3b488abd88acb89e5ee485f79c94608ae0ee58cdd00c63b38d
                          • Instruction ID: da503b663dbea042296d6f2a17e1605cfd977adbca98b8e77553e7194f5cdba5
                          • Opcode Fuzzy Hash: d8063270d1a26b3b488abd88acb89e5ee485f79c94608ae0ee58cdd00c63b38d
                          • Instruction Fuzzy Hash: 1732AF30B006059FDB24DB78C894BAE77F2BB85318F148869E506DF396DB34EC858B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ca238c07575982ec45c6cc6d01652bf272b2e7780dd636d32485755f4d6678cb
                          • Instruction ID: 57c0b6a47c6c636a41cf524028d49f2edb25816b40e554f4c13f887b665a3538
                          • Opcode Fuzzy Hash: ca238c07575982ec45c6cc6d01652bf272b2e7780dd636d32485755f4d6678cb
                          • Instruction Fuzzy Hash: 9632BD30B042098FDB14DBB8C894AAEBBF2BF95318F148569E506DB395EB35DC45CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.489993144.0000000001A40000.00000040.00000001.sdmp, Offset: 01A40000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 420b3f95546ed4301422f3e5bfc681aa2339f7073dafba05c7a0f7b9584e7b54
                          • Instruction ID: 96f1d8921b9d7367b634323625cd3d12f7700684836106987b39fe807a216e0b
                          • Opcode Fuzzy Hash: 420b3f95546ed4301422f3e5bfc681aa2339f7073dafba05c7a0f7b9584e7b54
                          • Instruction Fuzzy Hash: 2522B170B002099FDB15DBA8D884BAEBBF2AFC9314F15846AE505DB396DB35DC02CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 48a552b8a7a87273e1dc69053db8bf9d22baa608e7bdf0b694bf862167d0ce48
                          • Instruction ID: 4f3047c9229ca25e25c33c6da404e36e69f070653b10018c2a1ac7930b310c5f
                          • Opcode Fuzzy Hash: 48a552b8a7a87273e1dc69053db8bf9d22baa608e7bdf0b694bf862167d0ce48
                          • Instruction Fuzzy Hash: 3F12C434F002158FDB25DB68C9947AEBBF2BF89314F15806AD906EB395DB30DD428B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c674900a59b046c1074571d67dad5098eafa15ebe4d3ca122384c9f168800d3d
                          • Instruction ID: d121681ef3ed84e3a250aca54aed01f8689916529697b1e54e6af8d04a399ebc
                          • Opcode Fuzzy Hash: c674900a59b046c1074571d67dad5098eafa15ebe4d3ca122384c9f168800d3d
                          • Instruction Fuzzy Hash: E2127E70A002199FDB14DF68C894BAEBBF2AF88314F148569E516EB395EB34DD41CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7104361b5ccecd22198a25de1bc6b043349db18cce59a48165afe64abe008bd0
                          • Instruction ID: 51c2f48680daa5cd5521c93b374e27f77946af16570b1e28e441e4d3a78b8dae
                          • Opcode Fuzzy Hash: 7104361b5ccecd22198a25de1bc6b043349db18cce59a48165afe64abe008bd0
                          • Instruction Fuzzy Hash: 7F024A70A00109DFDB15CFA8C984AEEBBB6BF49304F258469E905EB365E730EE55CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f41a97262594ed835e42f198dfb22abc7cb48efc006eabee1bbee029edccefe
                          • Instruction ID: 5a5441b2c3f9cb744683ec4b7f600f80fa6a7d356165a59f77f57f88dc1db974
                          • Opcode Fuzzy Hash: 7f41a97262594ed835e42f198dfb22abc7cb48efc006eabee1bbee029edccefe
                          • Instruction Fuzzy Hash: 69F18D30A006199FCB24DFB8C94869EBBF2BF89318F158529D505EF399DB35DC428B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 737711bd565408d82b5740af0548f5a52e0d81c044b961550886a104008854e8
                          • Instruction ID: 8371da1433cbf207e4b85a74bbf8b17656df04b6b0892f0435dbd6762b7a2c57
                          • Opcode Fuzzy Hash: 737711bd565408d82b5740af0548f5a52e0d81c044b961550886a104008854e8
                          • Instruction Fuzzy Hash: D0E1AC30B002159BDB64EB798854B6EBAE3AFD8614F14882CD50AEF394DF35DC028B95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B0C11
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser$InitializeThunk
                          • String ID:
                          • API String ID: 2638914809-0
                          • Opcode ID: 0ab75e1a9b3506e48dc9ebc928aa420f87071f80f3202eaabc4a734d181b6fd1
                          • Instruction ID: 4dfdce43b14145adc9aec27f3151a93ecc949c88477526e11b517ce05f6e8476
                          • Opcode Fuzzy Hash: 0ab75e1a9b3506e48dc9ebc928aa420f87071f80f3202eaabc4a734d181b6fd1
                          • Instruction Fuzzy Hash: 83A22670A04228CFCB64EF34D9986ADB7B6BB89305F1084EAD50AA7744CB349E95CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B0C11
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser$InitializeThunk
                          • String ID:
                          • API String ID: 2638914809-0
                          • Opcode ID: b33784a4199a8d6ac6d9bdaea90a74e2e453c9cc93ef2aa8b81f2c39133d952f
                          • Instruction ID: f57f11319f53031075405bd06640506297254266a86fd2981d6815c21e1dfc6b
                          • Opcode Fuzzy Hash: b33784a4199a8d6ac6d9bdaea90a74e2e453c9cc93ef2aa8b81f2c39133d952f
                          • Instruction Fuzzy Hash: 29524D70A04228CFCBA4DF34D89869DB7B6BF89305F5044EAD64AA7740CB349E95CF11
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B0C11
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser$InitializeThunk
                          • String ID:
                          • API String ID: 2638914809-0
                          • Opcode ID: ab8f697e7baf4b25f51b172aca8b4f39d79e8322a56f4289df92ac9e44aab35c
                          • Instruction ID: b1eeada8cd7312a97c6ff5ce905e3b3a323f1354952ff60a47f4110b9ed3c68d
                          • Opcode Fuzzy Hash: ab8f697e7baf4b25f51b172aca8b4f39d79e8322a56f4289df92ac9e44aab35c
                          • Instruction Fuzzy Hash: C6524D70A04228CFCBA4DF34D8986ADB7B6BF89305F5084EAD54AA7740CB349E95CF11
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B0C11
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser$InitializeThunk
                          • String ID:
                          • API String ID: 2638914809-0
                          • Opcode ID: 2f35d144df7d5949d486fb0a027dccfb80f719244482de566d8f15d43d5e70b3
                          • Instruction ID: 6680a81bb212dabf167349ba5b96685f4d449b054de7b4ea7194ce1a4e7efa8d
                          • Opcode Fuzzy Hash: 2f35d144df7d5949d486fb0a027dccfb80f719244482de566d8f15d43d5e70b3
                          • Instruction Fuzzy Hash: AE524D70A04228CFCBA4DF34D8986ADB7B6BF89305F5044EAD54AA7740CB349E95CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B0C11
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser$InitializeThunk
                          • String ID:
                          • API String ID: 2638914809-0
                          • Opcode ID: adff24bcf450fdac4f4da4d90d97d82f8c7e29795e9c1ecf5daa7c8164041139
                          • Instruction ID: d6e5b85fd179ae122f3c71fc419cf25e696ee968935bede3790decc3ea7bac43
                          • Opcode Fuzzy Hash: adff24bcf450fdac4f4da4d90d97d82f8c7e29795e9c1ecf5daa7c8164041139
                          • Instruction Fuzzy Hash: 96524E70A04228CFCBA4EF34D8986ADB7B6BF89305F5044EAD54AA7740CB349E95CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B0C11
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser$InitializeThunk
                          • String ID:
                          • API String ID: 2638914809-0
                          • Opcode ID: 195e56a8e5c71fc7d49f6ecad6e12ca04997c1d887038de90097351b9bf949a6
                          • Instruction ID: 1d34f60f8e680a800d8aa838d16caf26383cda650b7919c1694f10072bba0516
                          • Opcode Fuzzy Hash: 195e56a8e5c71fc7d49f6ecad6e12ca04997c1d887038de90097351b9bf949a6
                          • Instruction Fuzzy Hash: 05524E70A04228CFCBA4DF34D8986ADB7B6BF89305F5044EAD54AA7740CB349E95CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B0C11
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser$InitializeThunk
                          • String ID:
                          • API String ID: 2638914809-0
                          • Opcode ID: 4799c2ac86ed5f313e4c6876a2785b287078428162068818884f6ca547efcf2c
                          • Instruction ID: 22cbcea5b9dea07078c0684ad8b6db8c3bc185f3b1f3f7b72bf9bfce2e65a53a
                          • Opcode Fuzzy Hash: 4799c2ac86ed5f313e4c6876a2785b287078428162068818884f6ca547efcf2c
                          • Instruction Fuzzy Hash: 46525D70A04228CFCBA4DF34D8986ADB7B6BF89305F5084EAD50AA7740CB349E95CF11
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionInitializeThunkUser
                          • String ID:
                          • API String ID: 243558500-0
                          • Opcode ID: e3c0bd9cfd1d9eda6684c5571ed1570dc515f4aebe4d0da7a44755e19db0ed5b
                          • Instruction ID: d855d3dd244029cd9081b6472ed15fe133ab484fe9e172d1bcd16b8d7683ae76
                          • Opcode Fuzzy Hash: e3c0bd9cfd1d9eda6684c5571ed1570dc515f4aebe4d0da7a44755e19db0ed5b
                          • Instruction Fuzzy Hash: 48525D70A04228CFCBA4EF34D8986ADB7B6BF89305F5044EAD54AA7740CB349E95CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionInitializeThunkUser
                          • String ID:
                          • API String ID: 243558500-0
                          • Opcode ID: f61051b1fd7caad8fd45b84c2402e71fc63f9c814126ab6188ee54c38c7041ef
                          • Instruction ID: 9fb92d7484b6f99396aa58ab650f22c4e411a643c313931fcd5408f421601c87
                          • Opcode Fuzzy Hash: f61051b1fd7caad8fd45b84c2402e71fc63f9c814126ab6188ee54c38c7041ef
                          • Instruction Fuzzy Hash: 25424D70A04228CFCBA4EF34D8986ADB7B6BF89305F5044EAD50AA7740CB349E95CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionInitializeThunkUser
                          • String ID:
                          • API String ID: 243558500-0
                          • Opcode ID: cdf778ff15494f1f39dff5f23f22f6052cc13d12ecfd72a70d7ec2d267fa374a
                          • Instruction ID: 5dce0f3679b63f76fcf862e7744152dbf0e723fcdd72250b754ba168bf999c4a
                          • Opcode Fuzzy Hash: cdf778ff15494f1f39dff5f23f22f6052cc13d12ecfd72a70d7ec2d267fa374a
                          • Instruction Fuzzy Hash: EA424D70A04228CFCBA4EF34D8986ADB7B6BF89305F5044EAD50AA7740CB349E95CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionInitializeThunkUser
                          • String ID:
                          • API String ID: 243558500-0
                          • Opcode ID: f9e599c500c4f7afd24dcfde2c611b0bb33d5b259c81a96e3379e414a861cb9c
                          • Instruction ID: 6e7989922c7a17271959f65a7e2c1f27b2f301757c6e1ab4a34bed469fc3438b
                          • Opcode Fuzzy Hash: f9e599c500c4f7afd24dcfde2c611b0bb33d5b259c81a96e3379e414a861cb9c
                          • Instruction Fuzzy Hash: E5424D70A05228CFCBA4EF34D8986AD77B6BF89305F1044EAD64AA7740CB349E95CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionInitializeThunkUser
                          • String ID:
                          • API String ID: 243558500-0
                          • Opcode ID: 26a241cc3889706ca9d33fbbfd38fc798e723822caaaaa99b8780511f9972b76
                          • Instruction ID: 4c7938f90e844950c26e9c2c66a1982bd7a878b83a33f3e62b42d7675a896f62
                          • Opcode Fuzzy Hash: 26a241cc3889706ca9d33fbbfd38fc798e723822caaaaa99b8780511f9972b76
                          • Instruction Fuzzy Hash: E6424D70A05228CFCBA4EF34D8986ADB7B6BF89305F1044EAD54AA7740CB349E95CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionInitializeThunkUser
                          • String ID:
                          • API String ID: 243558500-0
                          • Opcode ID: bee671176cb2c8037a62ef0fa0246e4a2d864f4a13eaf2173e4300d911ed3a36
                          • Instruction ID: 936fa64d1523adbd1d96a349b448ddafbe8a7d2b04e2fc2b5ec4b9a49cb06506
                          • Opcode Fuzzy Hash: bee671176cb2c8037a62ef0fa0246e4a2d864f4a13eaf2173e4300d911ed3a36
                          • Instruction Fuzzy Hash: E5424D70A05228CFCBA4EF34D8986AD77B6BF89305F1044EAD54AA7740CB349E95CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionInitializeThunkUser
                          • String ID:
                          • API String ID: 243558500-0
                          • Opcode ID: 7b8792d88da5db701f2f46ad484f7fe22e25add8485044ce675009c7986bc781
                          • Instruction ID: 65165808f393a63b7ff6a71b5822c680f7141988bc1600ba24f7627063e60555
                          • Opcode Fuzzy Hash: 7b8792d88da5db701f2f46ad484f7fe22e25add8485044ce675009c7986bc781
                          • Instruction Fuzzy Hash: 2B424C70A05228CFCBA4EF34D8986AD77B6BF89305F1044EAD64AA7740CB349E95CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • LdrInitializeThunk.NTDLL ref: 018B0F55
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionInitializeThunkUser
                          • String ID:
                          • API String ID: 243558500-0
                          • Opcode ID: a23e9ba6ef9b079a39c3707b0443f58deab58147fb7de63a9941d608d45093cd
                          • Instruction ID: dfa7ac02874c84a472127a0c37c74a8998780c30c18c85a6d468d276da8417f7
                          • Opcode Fuzzy Hash: a23e9ba6ef9b079a39c3707b0443f58deab58147fb7de63a9941d608d45093cd
                          • Instruction Fuzzy Hash: 5A423D70A05228CFCBA4EF34D8986AD77B6BF89305F1084EAD50AA7740CB349E95CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: efc41e85e01afdc15273d5be4f1b939cfd9699a461afc901e7a21c2e46f9e0d1
                          • Instruction ID: d63e3c7ed38ecc1a554942ca350310e1c8981151386c5c935ad497f0f6eb7724
                          • Opcode Fuzzy Hash: efc41e85e01afdc15273d5be4f1b939cfd9699a461afc901e7a21c2e46f9e0d1
                          • Instruction Fuzzy Hash: 2A021C74904228CFCBA4DF34D8986AC77B2BF89209F5044EAD64AA7740CB349E95CF25
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: ff88da65715cfbecbddaf3f2868c0cced06d957872cd228c66c89c29f043c39a
                          • Instruction ID: 97f0916dd1b888584ead2db34877a9f18124efb145eb0358b0a1607484078f03
                          • Opcode Fuzzy Hash: ff88da65715cfbecbddaf3f2868c0cced06d957872cd228c66c89c29f043c39a
                          • Instruction Fuzzy Hash: 12022C74904228CFCBA4DF34D8986AC77B2BF89205F5044EAD64AA7740CB349E95CF25
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 970c3932c150e96bb8c2ac6ffdad42d35d3f6749f07d41824c6b7cdf2477f8c6
                          • Instruction ID: cacda0bfeb9f8e1d139d705c6cc7801a5fdc13ad882d9cdacec09ff7f2e1d61d
                          • Opcode Fuzzy Hash: 970c3932c150e96bb8c2ac6ffdad42d35d3f6749f07d41824c6b7cdf2477f8c6
                          • Instruction Fuzzy Hash: C7021C74904228CFCBA4DF34D8986AD77B2BF89305F5044EAD64AA7740CB349E95CF25
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 1a57908c35ebf8d3eb92b033c5b036ce107f816bc43455ab699c3b0b788ba6a3
                          • Instruction ID: a4e2a1c950b37cc44f7f1f5f1512356817d3a264347bfa001d6fa9d6ddade99d
                          • Opcode Fuzzy Hash: 1a57908c35ebf8d3eb92b033c5b036ce107f816bc43455ab699c3b0b788ba6a3
                          • Instruction Fuzzy Hash: 1BF12C74904228CFCBA4DF34D8986ADB7B2BF89205F5044EAD64AA7700CB349E95CF25
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: de05cb034431b7dc5ffd16b29eda2e9b7d90cd1a7c8d261c0754661a98a908d7
                          • Instruction ID: a33775c28eebe8bb12fa6c8c2b5b202867801317ebd7f9b298d1f2c2b91cf978
                          • Opcode Fuzzy Hash: de05cb034431b7dc5ffd16b29eda2e9b7d90cd1a7c8d261c0754661a98a908d7
                          • Instruction Fuzzy Hash: B9F12C74904228CFCBA4DF34D8986AD77B2BF89205F5044EAD64AA7700CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1404
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: fa2d8e1b2289ee99da58b626d472cb91c396f1da5c7d1ec16b96aa8c609c09d7
                          • Instruction ID: 9ca01465ee54cd184ff6411906bc5fbde9a9efbdafcf151e004273b28babdd71
                          • Opcode Fuzzy Hash: fa2d8e1b2289ee99da58b626d472cb91c396f1da5c7d1ec16b96aa8c609c09d7
                          • Instruction Fuzzy Hash: F6F12CB4904228CFCBA4DF34D8986AD77B2BF89205F5044EAD64AA7700CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 8b530556117ea1d28cfe03e918e45ce30ec644f7e76c8ece27e6d83d9d1940ff
                          • Instruction ID: 43cc8e1b4b75425d21ec317617963218d8ea046b0cf222da6e55aa60eeff9492
                          • Opcode Fuzzy Hash: 8b530556117ea1d28cfe03e918e45ce30ec644f7e76c8ece27e6d83d9d1940ff
                          • Instruction Fuzzy Hash: 8FF12CB4904228CFCBA4DF34D8986AD77B2BF89205F5044EAD64AA7700CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 1d2c59f26f74bdc3619cdd2cea65b5094eccdec0b651e0a85aa37c25d4eba68a
                          • Instruction ID: 829e58a0570a7bcbb7f0b4040cc40902b03be9eb191923330f2856a01a0aebf2
                          • Opcode Fuzzy Hash: 1d2c59f26f74bdc3619cdd2cea65b5094eccdec0b651e0a85aa37c25d4eba68a
                          • Instruction Fuzzy Hash: F4E13DB0904228CFCBA4DF34D8986AD77B2BF89205F5044EAD64AA7700CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: d2ea905c603adb67a18ee78c4cc830af16c3e67a80e80acef390629d4d7ae846
                          • Instruction ID: e2d714ea361006c36e4a7f4f8dcbeffd048148232953ce256f611e436bf64f44
                          • Opcode Fuzzy Hash: d2ea905c603adb67a18ee78c4cc830af16c3e67a80e80acef390629d4d7ae846
                          • Instruction Fuzzy Hash: DAE12DB4904228CFCBA4DF34D8986AD77B2BF89205F5044EAD64AA7700CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 62a0edd3792b4e43f8dba8c4e79bf56d6cb15fc8112e47513615259cce695e6d
                          • Instruction ID: 8a1e76f7d777c1fa661956c0478fb390817bb1cf72c7f949495c911e2394bff4
                          • Opcode Fuzzy Hash: 62a0edd3792b4e43f8dba8c4e79bf56d6cb15fc8112e47513615259cce695e6d
                          • Instruction Fuzzy Hash: 8AE12EB490422CCFCBA4DF34D8986ADB7B2BF89209F5044E9D64A97700CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 7b74ca7f36dbf1c9ba56ad17976437b77db5f0cae730cf3be3745b4dffc778a0
                          • Instruction ID: a9b9602cd37067b018c922159ce0af700da7fa46f99f83311636cd8d02ec9324
                          • Opcode Fuzzy Hash: 7b74ca7f36dbf1c9ba56ad17976437b77db5f0cae730cf3be3745b4dffc778a0
                          • Instruction Fuzzy Hash: 71E12DB4904228CFCBA4DF34D8986AD77B2BF89305F5044E9D64AA7700CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: d47be2365b270b0ea52d9fe792226fe1a6a9907df8048c5b09db13d7ef258836
                          • Instruction ID: b5249cce6168d8ede8d7a40d9fe15146d6d2c497f2bb0e9b2453693e9d98a143
                          • Opcode Fuzzy Hash: d47be2365b270b0ea52d9fe792226fe1a6a9907df8048c5b09db13d7ef258836
                          • Instruction Fuzzy Hash: 64D12EB4A0422CCFCBA4DF34D8986AD77B2BF89209F5044E9D64A97700CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: a9da8ebccb0d64369642953218a3d37472f5e31a09cf8ddadad599e0d3c2b448
                          • Instruction ID: e86225ef236649389a028a08b2df57cd48e9d1f13c8a4cfd1be7053f40a26550
                          • Opcode Fuzzy Hash: a9da8ebccb0d64369642953218a3d37472f5e31a09cf8ddadad599e0d3c2b448
                          • Instruction Fuzzy Hash: 11D13EB4A0422CCFCBA4DF34D8986AD77B2BF89205F5044E9D64AA7700CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 9873fe30fb3de9f3e7b6a4312439d2412d9f99ef947994791a266e7ff070057e
                          • Instruction ID: 6e7ea49e8020ecfb6cd0a1aba8a1732f2bcad49576e7f4a65fb15d59ec6d42f1
                          • Opcode Fuzzy Hash: 9873fe30fb3de9f3e7b6a4312439d2412d9f99ef947994791a266e7ff070057e
                          • Instruction Fuzzy Hash: 67D12EB4A0422CCFCBA4DF34D8986AD77B2BF89205F5044E9D64AA7700CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: a12df5eee5aa477deb12ea9ca79adbf847f576bf1765819dc6712913d8f653b8
                          • Instruction ID: 0567c345b361f32bb8d8a103f2b5ae46d6576ef29eb7bad1495df33a95faf798
                          • Opcode Fuzzy Hash: a12df5eee5aa477deb12ea9ca79adbf847f576bf1765819dc6712913d8f653b8
                          • Instruction Fuzzy Hash: 65D12EB4A04228CFCBA4DF34D8986AD77B2BF89205F5044E9D64AA7700CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: c0884c51d4c1933dd255dbd7fc4736a54778790ccaff079ff05ac1d56e8d6bd9
                          • Instruction ID: ef4048154e82e0033dd219c83b455a41911c846a282bfeccd100cde9d9a6f2c6
                          • Opcode Fuzzy Hash: c0884c51d4c1933dd255dbd7fc4736a54778790ccaff079ff05ac1d56e8d6bd9
                          • Instruction Fuzzy Hash: DCC13FB4A04228CFCBA4DB34D8987AD77B2BF89205F5044E9D64AA7700CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: b41e8c54c7b4215d39ea027365f2fe6afb62fc2dab87aefeec07f9f3ac1cc188
                          • Instruction ID: 75fb872ba137a1a0a4e62addd8566c047eb03f35d6a4bfdba3b588840948f37a
                          • Opcode Fuzzy Hash: b41e8c54c7b4215d39ea027365f2fe6afb62fc2dab87aefeec07f9f3ac1cc188
                          • Instruction Fuzzy Hash: E6C13FB4A04228CFCBA4DB34D8987AD77B2BF88205F5044E9D64AA7740CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: d2248d37ab3570a68b4d23375ab022be4f974d556a95fe0ef80ec3698cf39d36
                          • Instruction ID: 3b6379b106049d5b53f024d1616aedb8774627bad44326ea5003b00634ab444e
                          • Opcode Fuzzy Hash: d2248d37ab3570a68b4d23375ab022be4f974d556a95fe0ef80ec3698cf39d36
                          • Instruction Fuzzy Hash: 32C14EB4A04228CFCBA4DB34D8987AD77B2BF88205F5044E9D60AA7740CB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 1c4ac75cb69594d21a61d5c7dae3953810b7e7722c75e844c0dcc69192497bbc
                          • Instruction ID: a4463c98ba68775f943c3a7ad1fcff1594cf86be6d25ec32910feab4dd1798f5
                          • Opcode Fuzzy Hash: 1c4ac75cb69594d21a61d5c7dae3953810b7e7722c75e844c0dcc69192497bbc
                          • Instruction Fuzzy Hash: AAB12EB4A04228CFCBA4DB34D8987AD77B2BF88305F5044E9D60A97740DB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 615d0c151a0d4fdaa024761b51d109b5ba81299e129dd6b07d09118c79c0c222
                          • Instruction ID: 882b5d603c37abce86f49ee33aca90900e8c81cd7bc6304f884bd47ee6ce921d
                          • Opcode Fuzzy Hash: 615d0c151a0d4fdaa024761b51d109b5ba81299e129dd6b07d09118c79c0c222
                          • Instruction Fuzzy Hash: 53B110B4A04228CFCBA4DB34D8987AD77B2BF88205F5084E9D60AD7740DB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: f37e45c3a25a8c39ac16de41c2c7987fe4fa1d8ddeab3dafbec8a7b2f6b7008c
                          • Instruction ID: 5c440d7c52e642ed8a4d83234b9da0778d726522c87c4580245fa32ed1fd0c62
                          • Opcode Fuzzy Hash: f37e45c3a25a8c39ac16de41c2c7987fe4fa1d8ddeab3dafbec8a7b2f6b7008c
                          • Instruction Fuzzy Hash: 66B10EB4A04228CFCBA4DB34D8987AD77B2BF88205F5084E9D60AD7740DB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 1602dc9a29d586c22a3e88439effdb39210d5d2873ca5a0cbfdddf94239c26c7
                          • Instruction ID: 12ba664312f07dc8158d3fbc0f38243b7ca8370d7e636be2d3479a053fe2841a
                          • Opcode Fuzzy Hash: 1602dc9a29d586c22a3e88439effdb39210d5d2873ca5a0cbfdddf94239c26c7
                          • Instruction Fuzzy Hash: 31A130B4A04228CFCBA4DB34D8987AD77B2BF88205F5044E9D60AD7740DB349E95CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 7079fb3da404f8f48166e581c337ab398bfca2a9506747b751ab8892773160d3
                          • Instruction ID: bec319a0c0c1f94356ae8633c4adffa0b1f7bea030e2cc5652b236ba062640bf
                          • Opcode Fuzzy Hash: 7079fb3da404f8f48166e581c337ab398bfca2a9506747b751ab8892773160d3
                          • Instruction Fuzzy Hash: DBA14FB0A04228CFCBA4DB34D8987ADB7B2BF88205F5084E9D60AD7740DB349E95CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • KiUserExceptionDispatcher.NTDLL ref: 018B1936
                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID: DispatcherExceptionUser
                          • String ID:
                          • API String ID: 6842923-0
                          • Opcode ID: 948db74b9a329e58679fb4f9d744eeb8acaeab0a54a4f0a72d981c49a9578b76
                          • Instruction ID: 8bd27df36886cd1f49f7bfcf2bc3892ac176f405a0d35d4d358e2f90a070b034
                          • Opcode Fuzzy Hash: 948db74b9a329e58679fb4f9d744eeb8acaeab0a54a4f0a72d981c49a9578b76
                          • Instruction Fuzzy Hash: 6D914FB4A04228CFCBA4DB34D8987ADB7B2BF88205F5084E9D60AD7740DB349E95CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          Memory Dump Source
                          • Source File: 00000007.00000002.489993144.0000000001A40000.00000040.00000001.sdmp, Offset: 01A40000, based on PE: false
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 1837216f4cffb7fe54bc275432a4e9c0113e2ea2c31482f181d6547256ee3ab7
                          • Instruction ID: c2eb40bda08b801b2e1ef08c64659b371fbc9c3c978e1aff53964c99f2701c95
                          • Opcode Fuzzy Hash: 1837216f4cffb7fe54bc275432a4e9c0113e2ea2c31482f181d6547256ee3ab7
                          • Instruction Fuzzy Hash: 5351A331A002059FCB20EFB8CC54AEEBBF6BF89215F048969D5069B355EF30E805CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          Memory Dump Source
                          • Source File: 00000007.00000002.489993144.0000000001A40000.00000040.00000001.sdmp, Offset: 01A40000, based on PE: false
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 5fa4280bd4eb278da79f043729872ab3c419f9031fb8ed830d0e8f94ee70fb4f
                          • Instruction ID: 8fab3b349f2c4955543c813535d78ad0cc3c46b0912f142b4b62b56806657b44
                          • Opcode Fuzzy Hash: 5fa4280bd4eb278da79f043729872ab3c419f9031fb8ed830d0e8f94ee70fb4f
                          • Instruction Fuzzy Hash: CD519271A002059FCB14EFB8C858AAEB7B6FF95215F148969D506DB395EF30E804CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.489975241.0000000001A20000.00000040.00000001.sdmp, Offset: 01A20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3197bdb3a9f9b131f77fddbf7b5889b0dc1b152dd3e5a9a30cf4e89a64c7645a
                          • Instruction ID: e689eba523a688b09c2c61ea4ce4cc5395490d970be0e8bac949b8f3c05581a6
                          • Opcode Fuzzy Hash: 3197bdb3a9f9b131f77fddbf7b5889b0dc1b152dd3e5a9a30cf4e89a64c7645a
                          • Instruction Fuzzy Hash: B1410072E143598FCB14CFA9C4406EEBBF1AF89220F06856AD908AB351DB349895CBD1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0154B6EC
                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: 67fddcd1fa35f67288a1c82ba1e1207f62ca102d258da8da428f6adc4db8c853
                          • Instruction ID: a492a9511988e79ee353c190e85ccb2fb32218782a0bc16d33d19d716e3be4f0
                          • Opcode Fuzzy Hash: 67fddcd1fa35f67288a1c82ba1e1207f62ca102d258da8da428f6adc4db8c853
                          • Instruction Fuzzy Hash: CF4145B0A003498FDB10CFA9C584A9EBBF5BF48308F29C56AE808AB301C7759845CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0154B959
                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 65a268fbd4d573ed955857b23e0901a37123b94b683f458c05b40f76eaa436a0
                          • Instruction ID: 4172d65447e20049ff10c120eaa121ccc832b8c45bae19c23c6eef2ac866a471
                          • Opcode Fuzzy Hash: 65a268fbd4d573ed955857b23e0901a37123b94b683f458c05b40f76eaa436a0
                          • Instruction Fuzzy Hash: 6A41F1B5D003589FDB20CFAAC884A9EBBF5BF48314F15802AE819AB210D7349945CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0154B959
                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: d7fdfafa87ce8c1ee9407ea482656ac77e5486143007212810741b16db8fc18b
                          • Instruction ID: ccc5fa8d3879edbcf3a24d65724fc3ae273b213daa766b2424b7827d55a9bc21
                          • Opcode Fuzzy Hash: d7fdfafa87ce8c1ee9407ea482656ac77e5486143007212810741b16db8fc18b
                          • Instruction Fuzzy Hash: DB31E0B5D00258DFDB20CF9AC984A9EBFF5BF48314F55852AE819AB310D7709905CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0154B6EC
                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: 365f557086af2ecb235515e6e2fd9d3a054c6ad8ee36218150f37e2007cf0b99
                          • Instruction ID: efae432af87b9619355badb989afba5b440eca1c37bc58f4bc68db1f967c77b4
                          • Opcode Fuzzy Hash: 365f557086af2ecb235515e6e2fd9d3a054c6ad8ee36218150f37e2007cf0b99
                          • Instruction Fuzzy Hash: 6031FFB0D012499FDB14CFA9C584A8EFFF5BF48308F29856AE809AB301D7759945CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: e38626efaf0ec6af477e985650788404d5f5b96ad8a3d79f083c8c9b064605c2
                          • Instruction ID: d0ca946cfe4f315cd79ee25f9d2f037b2d3cb4df80445f01f43b6fc6c91b2530
                          • Opcode Fuzzy Hash: e38626efaf0ec6af477e985650788404d5f5b96ad8a3d79f083c8c9b064605c2
                          • Instruction Fuzzy Hash: 85212C70A00209DFDB14DFA5D998ADDBBF2FF88319F208568E501AB394CB75A985CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • GlobalMemoryStatusEx.KERNELBASE ref: 01A210B7
                          Memory Dump Source
                          • Source File: 00000007.00000002.489975241.0000000001A20000.00000040.00000001.sdmp, Offset: 01A20000, based on PE: false
                          Similarity
                          • API ID: GlobalMemoryStatus
                          • String ID:
                          • API String ID: 1890195054-0
                          • Opcode ID: 9d5656f8c787f64b6f5c81787317e8de5025e4d396179fe87c4a57505c176753
                          • Instruction ID: 1b598e1143799e699a4625d99d851d48b4f800866a49e8168c4b00c5ebd846e5
                          • Opcode Fuzzy Hash: 9d5656f8c787f64b6f5c81787317e8de5025e4d396179fe87c4a57505c176753
                          • Instruction Fuzzy Hash: 0E1103B1C146599FCB10CF9AC444BEEFBF4BF48324F15826AD818A7241D378A955CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Memory Dump Source
                          • Source File: 00000007.00000002.489993144.0000000001A40000.00000040.00000001.sdmp, Offset: 01A40000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c75467770273f7d1fae18d0202feea4acb2b388e80bf0b0e5853b4a440239153
                          • Instruction ID: beb29d7c36927ebe77da95d800d8747f79e6e0f7e0471b7e08f493867959dc4f
                          • Opcode Fuzzy Hash: c75467770273f7d1fae18d0202feea4acb2b388e80bf0b0e5853b4a440239153
                          • Instruction Fuzzy Hash: 16C24B30B002198FDB64EBB8C9547AEBBF2AF89314F1484A8D50AEB385DB31DD45CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fcda5d386711485b3652c1014a17e19f007b3c6d7bc70a93691985b8757b1877
                          • Instruction ID: d83cadfafc64809e12a33d27403538f26577557c85007cd43415b9008cf7332a
                          • Opcode Fuzzy Hash: fcda5d386711485b3652c1014a17e19f007b3c6d7bc70a93691985b8757b1877
                          • Instruction Fuzzy Hash: 57724A34A002058FCB64EF78DC98AADBBF6BF88314F1588A9D50ADB349DB349D458F51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.489993144.0000000001A40000.00000040.00000001.sdmp, Offset: 01A40000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c2e01471d867512b2906461becac7da2de921c55df7329b34c9f0ca99562545
                          • Instruction ID: 4701f7071516ee8e1f70629757999077d100fb58c0311e94fcdf66a2e33a22c6
                          • Opcode Fuzzy Hash: 6c2e01471d867512b2906461becac7da2de921c55df7329b34c9f0ca99562545
                          • Instruction Fuzzy Hash: 9142DF30B002488FDB15EBB8D854AAEBBB2BFC5214F15847AD546EB396DB38DC05C761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.488679162.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 90fbddd9ef291833c7d03b20ccfb8360a39edc8a6763cd3083a81b60a2a59a0c
                          • Instruction ID: 623aa5cf3692110409979004c36db56d7a0dcb1dbd0c2d555e24248699979900
                          • Opcode Fuzzy Hash: 90fbddd9ef291833c7d03b20ccfb8360a39edc8a6763cd3083a81b60a2a59a0c
                          • Instruction Fuzzy Hash: 4D623C34A002058FCB24EF78DD98AADB7F6BF88314F1589A9D50AEB348DB349D458F51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.489993144.0000000001A40000.00000040.00000001.sdmp, Offset: 01A40000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b82ea115f7f7cae31863810f2842481cd2575baeaf0c22a36cc775d991606675
                          • Instruction ID: 3def19c3ef84c843e7cc4ce6d39db4974859e778c39a57352475ec0c892e39cc
                          • Opcode Fuzzy Hash: b82ea115f7f7cae31863810f2842481cd2575baeaf0c22a36cc775d991606675
                          • Instruction Fuzzy Hash: 6E024A30A002198FDB24EBB9C858BADB7F2BF84304F1584A9D50AEB755DF349D45CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.489975241.0000000001A20000.00000040.00000001.sdmp, Offset: 01A20000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9baff0e2a955e3890c5ea7df43f5c1d5360b9740721a50ae99552be109cc57e9
                          • Instruction ID: 31c844b879d17b91d0356d2bff2a8777c71fb93731186ee89c99ba4fc27d3968
                          • Opcode Fuzzy Hash: 9baff0e2a955e3890c5ea7df43f5c1d5360b9740721a50ae99552be109cc57e9
                          • Instruction Fuzzy Hash: 00C1C674B08325CBDF284FAD89153ADBAB6FFC8704F1D8429D846A6684CF34C852CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000007.00000002.489879344.00000000018B0000.00000040.00000001.sdmp, Offset: 018B0000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0781304a41e97e43ccfa919b571ca319605ce96cbe10169421f7fccb3888ec64
                          • Instruction ID: 8762230eee00d1b8b755f76b55855cee6efac7fb0f99d7e7d5f739f89d38811b
                          • Opcode Fuzzy Hash: 0781304a41e97e43ccfa919b571ca319605ce96cbe10169421f7fccb3888ec64
                          • Instruction Fuzzy Hash: D841F275698219EBDB52CA3CC0C19D577F4BF1B75877A25A9E0808F225D322A922AF40
                          Uniqueness

                          Uniqueness Score: -1.00%