Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 29.7.2021.exe

Overview

General Information

Sample Name:29.7.2021.exe
Analysis ID:458935
MD5:1aae6bb425f9754d217037e354db1f3b
SHA1:0fd447e79c9e9d9e50f268474a5a187b77c524dd
SHA256:61b5c977dcd06cf5ecc11af4dc0190c189f55a644a771675812c0d65f27d1ae6
Tags:exenull
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large strings
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 29.7.2021.exe (PID: 1004 cmdline: 'C:\Users\user\Desktop\29.7.2021.exe' MD5: 1AAE6BB425F9754D217037E354DB1F3B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "kintkinty@vivaldi.net", "Password": "pmoneyboy994", "Host": "smtp.vivaldi.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.491962978.0000000000D70000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.491962978.0000000000D70000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.496151220.00000000037A9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.496151220.00000000037A9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.29.7.2021.exe.d70000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.29.7.2021.exe.d70000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.29.7.2021.exe.d70000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.29.7.2021.exe.d70000.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.29.7.2021.exe.37df960.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.29.7.2021.exe.d70000.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "kintkinty@vivaldi.net", "Password": "pmoneyboy994", "Host": "smtp.vivaldi.net"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 29.7.2021.exeVirustotal: Detection: 64%Perma Link
                      Source: 29.7.2021.exeMetadefender: Detection: 42%Perma Link
                      Source: 29.7.2021.exeReversingLabs: Detection: 82%
                      Machine Learning detection for sampleShow sources
                      Source: 29.7.2021.exeJoe Sandbox ML: detected
                      Source: 29.7.2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 29.7.2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: http://QgZlYk.com
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: 29.7.2021.exe, 00000000.00000002.492190071.0000000000E27000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: 29.7.2021.exe, 00000000.00000002.492190071.0000000000E27000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comictoV
                      Source: 29.7.2021.exe, 00000000.00000002.492190071.0000000000E27000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comldF
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: 29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: 29.7.2021.exe, 00000000.00000002.491962978.0000000000D70000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large stringsShow sources
                      Source: 29.7.2021.exe, ImageSilder/Transitions/Star.csLong String: Length: 24686
                      Source: 0.0.29.7.2021.exe.360000.0.unpack, ImageSilder/Transitions/Star.csLong String: Length: 24686
                      Source: 0.2.29.7.2021.exe.360000.0.unpack, ImageSilder/Transitions/Star.csLong String: Length: 24686
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_003667F60_2_003667F6
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_00AFC1D40_2_00AFC1D4
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_00AFE6200_2_00AFE620
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_00AFE6300_2_00AFE630
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DAD4600_2_04DAD460
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DACD100_2_04DACD10
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DA86A00_2_04DA86A0
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DA77D80_2_04DA77D8
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DA47680_2_04DA4768
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DAC0D80_2_04DAC0D8
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DAF1C00_2_04DAF1C0
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DA6A500_2_04DA6A50
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DAE2280_2_04DAE228
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DAD4500_2_04DAD450
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DACD000_2_04DACD00
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DA47580_2_04DA4758
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DAC0D00_2_04DAC0D0
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DAF1830_2_04DAF183
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DAE2270_2_04DAE227
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DA5B780_2_04DA5B78
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_04DA5B770_2_04DA5B77
                      Source: 29.7.2021.exeBinary or memory string: OriginalFilename vs 29.7.2021.exe
                      Source: 29.7.2021.exe, 00000000.00000002.491962978.0000000000D70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelvtFIOjGSVJXMxbcomyQUmSBIxH.exe4 vs 29.7.2021.exe
                      Source: 29.7.2021.exe, 00000000.00000002.489807860.0000000000362000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemxRm0qe.exe< vs 29.7.2021.exe
                      Source: 29.7.2021.exe, 00000000.00000002.496857976.0000000003A27000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 29.7.2021.exe
                      Source: 29.7.2021.exe, 00000000.00000002.495453651.0000000002C52000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs 29.7.2021.exe
                      Source: 29.7.2021.exe, 00000000.00000002.501816693.000000000CB60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 29.7.2021.exe
                      Source: 29.7.2021.exe, 00000000.00000002.492092833.0000000000DE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs 29.7.2021.exe
                      Source: 29.7.2021.exe, 00000000.00000002.501003553.0000000006CE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 29.7.2021.exe
                      Source: 29.7.2021.exeBinary or memory string: OriginalFilenamemxRm0qe.exe< vs 29.7.2021.exe
                      Source: 29.7.2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 29.7.2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/0
                      Source: 29.7.2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\29.7.2021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\29.7.2021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 29.7.2021.exeVirustotal: Detection: 64%
                      Source: 29.7.2021.exeMetadefender: Detection: 42%
                      Source: 29.7.2021.exeReversingLabs: Detection: 82%
                      Source: C:\Users\user\Desktop\29.7.2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: 29.7.2021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 29.7.2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: 29.7.2021.exe, Form2.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.29.7.2021.exe.360000.0.unpack, Form2.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.29.7.2021.exe.360000.0.unpack, Form2.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\29.7.2021.exeCode function: 0_2_0036630D push ss; ret 0_2_00366324
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.25332165725
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: 29.7.2021.exe PID: 1004, type: MEMORYSTR
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\29.7.2021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\29.7.2021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\29.7.2021.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeWindow / User API: threadDelayed 605Jump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeWindow / User API: threadDelayed 9254Jump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exe TID: 6384Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exe TID: 6388Thread sleep count: 605 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exe TID: 6388Thread sleep count: 9254 > 30Jump to behavior
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Users\user\Desktop\29.7.2021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\29.7.2021.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: 29.7.2021.exe, 00000000.00000002.501816693.000000000CB60000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: 29.7.2021.exe, 00000000.00000002.501816693.000000000CB60000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: 29.7.2021.exe, 00000000.00000002.501816693.000000000CB60000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: 29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: 29.7.2021.exe, 00000000.00000002.501816693.000000000CB60000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeProcess token adjusted: DebugJump to behavior
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Users\user\Desktop\29.7.2021.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: 29.7.2021.exe, 00000000.00000002.492240031.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: 29.7.2021.exe, 00000000.00000002.492240031.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: 29.7.2021.exe, 00000000.00000002.492240031.00000000011C0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                      Source: 29.7.2021.exe, 00000000.00000002.492240031.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: 29.7.2021.exe, 00000000.00000002.492240031.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Users\user\Desktop\29.7.2021.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\29.7.2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.d70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.d70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.37df960.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.37df960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.491962978.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.496151220.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.d70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.d70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.37df960.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.37df960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.491962978.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.496151220.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 29.7.2021.exe PID: 1004, type: MEMORYSTR
                      Source: Yara matchFile source: 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 29.7.2021.exe PID: 1004, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.d70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.d70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.37df960.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.37df960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.491962978.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.496151220.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.d70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.d70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.37df960.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.29.7.2021.exe.37df960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.491962978.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.496151220.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 29.7.2021.exe PID: 1004, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection1Disable or Modify Tools1OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion131LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing12Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsSystem Information Discovery113SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      29.7.2021.exe65%VirustotalBrowse
                      29.7.2021.exe46%MetadefenderBrowse
                      29.7.2021.exe82%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      29.7.2021.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://QgZlYk.com0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.fontbureau.comldF0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.fontbureau.comictoV0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.129.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.029.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersG29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                            		high
                            http://DynDns.comDynDNS29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThe29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                		high
                                http://www.tiro.com29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.kr29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.coma29.7.2021.exe, 00000000.00000002.492190071.0000000000E27000.00000004.00000040.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://QgZlYk.com29.7.2021.exe, 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.coml29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comldF29.7.2021.exe, 00000000.00000002.492190071.0000000000E27000.00000004.00000040.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.com29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netD29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlN29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cThe29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htm29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.com29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.html29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comictoV29.7.2021.exe, 00000000.00000002.492190071.0000000000E27000.00000004.00000040.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPlease29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers829.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fonts.com29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.kr29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPlease29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cn29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.com29.7.2021.exe, 00000000.00000002.499215842.00000000057E0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip29.7.2021.exe, 00000000.00000002.491962978.0000000000D70000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          Contacted IPs

                                          No contacted IP infos

                                          General Information

                                          Joe Sandbox Version:33.0.0 White Diamond
                                          Analysis ID:458935
                                          Start date:03.08.2021
                                          Start time:22:09:17
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 6m 6s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:29.7.2021.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:22
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@1/0@0/0
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 0.2% (good quality ratio 0.1%)
                                          • Quality average: 47.9%
                                          • Quality standard deviation: 30%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 35
                                          • Number of non-executed functions: 6
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          22:10:58API Interceptor535x Sleep call for process: 29.7.2021.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASN

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.243271261799799
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:29.7.2021.exe
                                          File size:557056
                                          MD5:1aae6bb425f9754d217037e354db1f3b
                                          SHA1:0fd447e79c9e9d9e50f268474a5a187b77c524dd
                                          SHA256:61b5c977dcd06cf5ecc11af4dc0190c189f55a644a771675812c0d65f27d1ae6
                                          SHA512:c78f838a1594f91d9222c2f88f0db5849d825bd9cc78fe78eb02a2b491e71ec7d2562dcfd36f3890fe4ddee5988b2d2cd70e912408ba5a3c29225877ce87e942
                                          SSDEEP:12288:9l3p+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvX4KLg69jfUx:HTKzpn2E+vFBI8H
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@G.a..............0..v..........B.... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x489442
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x61024740 [Thu Jul 29 06:14:24 2021 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x893f00x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x5fc.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x874480x87600False0.737038680171data7.25332165725IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x8a0000x5fc0x600False0.446614583333data4.22227882843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x8c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0x8a0900x36cdata
                                          RT_MANIFEST0x8a40c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2015
                                          Assembly Version1.0.0.0
                                          InternalNamemxRm0qe.exe
                                          FileVersion1.0.0.0
                                          CompanyNamesmAbdullah.com
                                          LegalTrademarks
                                          CommentsCreated By Sm.Abdullah
                                          ProductNameImageControls
                                          ProductVersion1.0.0.0
                                          FileDescriptionImageControls
                                          OriginalFilenamemxRm0qe.exe

                                          Network Behavior

                                          No network behavior found

                                          Code Manipulations

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          System Behavior

                                          Analysis Process: 29.7.2021.exe PID: 1004 Parent PID: 5480

                                          General

                                          Start time:22:10:06
                                          Start date:03/08/2021
                                          Path:C:\Users\user\Desktop\29.7.2021.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\29.7.2021.exe'
                                          Imagebase:0x360000
                                          File size:557056 bytes
                                          MD5 hash:1AAE6BB425F9754D217037E354DB1F3B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.491962978.0000000000D70000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.491962978.0000000000D70000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.496151220.00000000037A9000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.496151220.00000000037A9000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.492722077.00000000027A1000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Chronological Activities

                                          Disassembly

                                          Code Analysis

                                          Reset < >

                                            Analysis Process: 29.7.2021.exe PID: 1004 Parent PID: 5480 29.7.2021.exeCOMMON

                                            Executed Functions

                                            Function 04DA86A0, Relevance: 2.6, Instructions: 2596COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b164c377bc3c464307995319c7f498a72561115a0adad9c91e82c11cc9f1b2c
                                            • Instruction ID: 6a6ca7830a0277097605548830f2748e1ab14258292012971ac7d042908b03db
                                            • Opcode Fuzzy Hash: 0b164c377bc3c464307995319c7f498a72561115a0adad9c91e82c11cc9f1b2c
                                            • Instruction Fuzzy Hash: 9243E774A002198FCB24DF28C988A9DB7B2BF49314F1585D9E509AB3A5DB31FD92CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DAF183, Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: n+-
                                            • API String ID: 0-2457865492
                                            • Opcode ID: dbd159eb25a49ba056c2330845150acd7d8c416ebb9c727e30736a78504ceb59
                                            • Instruction ID: 771970f390a5b0e2b0617db1a66799d8ed911c8297c56e8cbd080a91db54bbe6
                                            • Opcode Fuzzy Hash: dbd159eb25a49ba056c2330845150acd7d8c416ebb9c727e30736a78504ceb59
                                            • Instruction Fuzzy Hash: 02D15D74E0420ACFCB04CFA9D5844AEFBB2FF89300B548599D416EB254E734EA52CF98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DAF1C0, Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: n+-
                                            • API String ID: 0-2457865492
                                            • Opcode ID: 56f125cd508311ca6598788fc1b33638f019cce48625a4aba1f5f2612fb29f0d
                                            • Instruction ID: 902b32e121179dd74b5041080c49f48326210d2b16ce469b4acf698b141aaa16
                                            • Opcode Fuzzy Hash: 56f125cd508311ca6598788fc1b33638f019cce48625a4aba1f5f2612fb29f0d
                                            • Instruction Fuzzy Hash: 33C14C74E0420ADFCB04CF95D5848AEFBB2FF89301F549599D406AB254E734EA92CF98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DA77D8, Relevance: .7, Instructions: 719COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 492d649f0bec11b9052bea288291eef0b7ef0f0ac817756f2aae0bfea847c9ff
                                            • Instruction ID: d3f1e508313865518f0c6cfb35c677421d126e7cf717441fb3e52e6805535c68
                                            • Opcode Fuzzy Hash: 492d649f0bec11b9052bea288291eef0b7ef0f0ac817756f2aae0bfea847c9ff
                                            • Instruction Fuzzy Hash: 43526D35B001159FDB18EF69C488AAEB7F2FF88314B158169E916DB3A0DB31ED51CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DA4758, Relevance: .2, Instructions: 191COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d1594675f3c2435079a12e4cbb77aca411b38c955a7e7a31c207db0d35612d1
                                            • Instruction ID: cfa4172cdce37be111be761f7dd8825822115c34dd95ad0dcde8eb5f6661d1a2
                                            • Opcode Fuzzy Hash: 5d1594675f3c2435079a12e4cbb77aca411b38c955a7e7a31c207db0d35612d1
                                            • Instruction Fuzzy Hash: DF91E375E042188FDB14DFA9D984ADEBBB2FF88304F10816AE509AB365DB30AD45CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DA4768, Relevance: .2, Instructions: 189COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a2d341b48e1e132da9c4aeed4ab49a82447d403b31c9590fb71bc14085e63a2a
                                            • Instruction ID: 721f5bbe02369297e240e4d0ba66cbe4ff437fcff3e27dc065a2bbf8f20eac45
                                            • Opcode Fuzzy Hash: a2d341b48e1e132da9c4aeed4ab49a82447d403b31c9590fb71bc14085e63a2a
                                            • Instruction Fuzzy Hash: 1C81D475E002188FDB14DFA9D984B9EBBB2FF88304F108169E509AB365DB30AD45CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DACD10, Relevance: .2, Instructions: 183COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2c86c5d0163cdadc5d5e97556a97e9e95090df1455c0a1c2687e00a146f819a0
                                            • Instruction ID: 9be697193fb3cccfc99e1a57209ae68080e213a302b26525cedac9a2e87b224a
                                            • Opcode Fuzzy Hash: 2c86c5d0163cdadc5d5e97556a97e9e95090df1455c0a1c2687e00a146f819a0
                                            • Instruction Fuzzy Hash: B181C174E042098FDB08CFA9C984AAEBBB2FF89310F14842AD519AB354D734A945CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DACD00, Relevance: .2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80fa39f31c4460388af0d2f878bf82965c02ed2e70066a8c0bfcc27c677d050e
                                            • Instruction ID: a89f46755e8effd6b03a873836ce24990267064a7eea0b76a592ba4f236b11dd
                                            • Opcode Fuzzy Hash: 80fa39f31c4460388af0d2f878bf82965c02ed2e70066a8c0bfcc27c677d050e
                                            • Instruction Fuzzy Hash: 4B81D1B4E042098FDB08CFA9C944ADEBBF2FF89310F14842AD919AB354DB34A945CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DA6A50, Relevance: .2, Instructions: 156COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37f2e6cac28f599f87cdcf9129f0973233f3fe9a8e3bbe28f84e4798b641e8e4
                                            • Instruction ID: ba84c2a7f201377abba0b93ab033cf09df18dcda6683ae8ecc793133355dbba3
                                            • Opcode Fuzzy Hash: 37f2e6cac28f599f87cdcf9129f0973233f3fe9a8e3bbe28f84e4798b641e8e4
                                            • Instruction Fuzzy Hash: 1251F575E04218DFCB04DFAAC581AAEFBF2FF89304F18C569D414AB255DB34A946CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DAD450, Relevance: .1, Instructions: 142COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 937083f317722d27957c00bee8564558e4acca7872a48af9ca99e6a29aa1b4aa
                                            • Instruction ID: 771bf4f9b9f9ff5ecabcccadbb5556791e3671a572182b409513bdf335f2a241
                                            • Opcode Fuzzy Hash: 937083f317722d27957c00bee8564558e4acca7872a48af9ca99e6a29aa1b4aa
                                            • Instruction Fuzzy Hash: DE519EB4E0460A8FDB08CFA6C4405AEFBF3FF89300F14C56AD459A7255E7349A128F95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DAD460, Relevance: .1, Instructions: 131COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1860e1e21510e0052ee36e0c50d88fa430ab87d1b671c36590b837971176d1f2
                                            • Instruction ID: e3aee67c13e95e116d1d2d10916be571c85921852a256be36447b85ad171868b
                                            • Opcode Fuzzy Hash: 1860e1e21510e0052ee36e0c50d88fa430ab87d1b671c36590b837971176d1f2
                                            • Instruction Fuzzy Hash: F151D6B4E0460A8FDB08CFAAD5446AEFBF3FB89300F14C46AD419B7254E7349A518F65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DAC0D8, Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2795722f14845bdaaa1f9407f181f3d30fd1db92f698397e133c2e19919798d7
                                            • Instruction ID: efada11b0c2defa0561b1679051ad82d08580ca9a7039379d80e482a4e3c8af2
                                            • Opcode Fuzzy Hash: 2795722f14845bdaaa1f9407f181f3d30fd1db92f698397e133c2e19919798d7
                                            • Instruction Fuzzy Hash: 75410871E056188FEB58DFAAD950B9EBBF3AFC9200F04C1AAD50CA7254DB305A45CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DAE228, Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be11bf588006128074bb29e4ec169392d29e4d6eda24f0e9ec9033a923a6a948
                                            • Instruction ID: 592b8282ff5618305a43fd01d6e70cc41f1aa0ea4a6e44817f3e5323cc918c57
                                            • Opcode Fuzzy Hash: be11bf588006128074bb29e4ec169392d29e4d6eda24f0e9ec9033a923a6a948
                                            • Instruction Fuzzy Hash: 0021E571E006188BDB18CFAAD9443DEFBB3EFC8310F14C16AD508A6254DB741A55CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DAC0D0, Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7b1f5351c17ac08518ad6aa1af82d18ef0c5871cb2805c56a67caca33d361bfb
                                            • Instruction ID: d9d45010ebe16fa29e3a90586e85acfee63ccc100a45b151835cd05d15da3105
                                            • Opcode Fuzzy Hash: 7b1f5351c17ac08518ad6aa1af82d18ef0c5871cb2805c56a67caca33d361bfb
                                            • Instruction Fuzzy Hash: F321DF71E046198BEB08CFABD95069EFBF3AFC8300F14C16AC519A7264DB3019568F51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DAE227, Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 640e2fa1e89d35815e0477dbe4afac867b7e4ca1b402afd54b44daa22d91487d
                                            • Instruction ID: 403955f7b276626f6e39a220c134864cdc25a095a6fbe2eaa0ebd9cd99b8c94a
                                            • Opcode Fuzzy Hash: 640e2fa1e89d35815e0477dbe4afac867b7e4ca1b402afd54b44daa22d91487d
                                            • Instruction Fuzzy Hash: 0C21A3B1E016188BDB18CFAAD94439EFBF3AFC8300F14C16AD818AA258DB741A55CF40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AFB740, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00AFB7B0
                                            • GetCurrentThread.KERNEL32 ref: 00AFB7ED
                                            • GetCurrentProcess.KERNEL32 ref: 00AFB82A
                                            • GetCurrentThreadId.KERNEL32 ref: 00AFB883
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID: H
                                            • API String ID: 2063062207-1105002124
                                            • Opcode ID: 143de1400fe4a45e9c9bdd463385a4ec51d91612e415bd0fdba49aaa01b9aa4a
                                            • Instruction ID: 9030471923d14a8a30ce374ed726b9cdc1794e5c6a6491f7cb7cde90ed1eb9d5
                                            • Opcode Fuzzy Hash: 143de1400fe4a45e9c9bdd463385a4ec51d91612e415bd0fdba49aaa01b9aa4a
                                            • Instruction Fuzzy Hash: EC5172B0A103488FDB14CFA9D988BEEBBF0BF88304F248469E519A7350D7749844CB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AFB750, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00AFB7B0
                                            • GetCurrentThread.KERNEL32 ref: 00AFB7ED
                                            • GetCurrentProcess.KERNEL32 ref: 00AFB82A
                                            • GetCurrentThreadId.KERNEL32 ref: 00AFB883
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID: H
                                            • API String ID: 2063062207-1105002124
                                            • Opcode ID: 0b6ebc19c07e24ae89bf46c7b871cb06335046f8fd991470a604422b237b96d0
                                            • Instruction ID: 77f37c23fcb1119bca427644ea063b49bddfed257312b33c1454c809871dbe22
                                            • Opcode Fuzzy Hash: 0b6ebc19c07e24ae89bf46c7b871cb06335046f8fd991470a604422b237b96d0
                                            • Instruction Fuzzy Hash: 475164B0E106488FDB14CFAAD588BEEBBF1BF88314F248469E419A7350D7749844CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AF9450, Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00AF9696
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 05da9b8512a3358976a008ae228df7b1b3137c9683414201e940fc4cd4d80a2f
                                            • Instruction ID: a879b310610e411cb4719a89167179bbb3b70202e1de83d70cbd4a81270c274a
                                            • Opcode Fuzzy Hash: 05da9b8512a3358976a008ae228df7b1b3137c9683414201e940fc4cd4d80a2f
                                            • Instruction Fuzzy Hash: F3713570A00B098FDB64DF69C1517ABB7F1BF88314F00892DE64AD7A50DB35E9498F91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AFFDAF, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00AFFECA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: e28a85dfa0b859646c5f3447ca0fb4fbecf40cb51597e04b578c713f72438209
                                            • Instruction ID: abb128565b2c061ef27adc8ceb4b5acacc603bef1c9a7350f1b0d2a3b62027c4
                                            • Opcode Fuzzy Hash: e28a85dfa0b859646c5f3447ca0fb4fbecf40cb51597e04b578c713f72438209
                                            • Instruction Fuzzy Hash: 6E51CEB1D003099FDB14CFA9D884ADEFBB1BF48314F24852AE819AB210D7749986CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AFFDB8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00AFFECA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: d8997e1547174749ea0279b8b05462718240ecefe1daffffd96250cfc84588f4
                                            • Instruction ID: 7ba470163c1c907c306f7eb1a27e300691e46a86ee23747ce136f869ff68cd9d
                                            • Opcode Fuzzy Hash: d8997e1547174749ea0279b8b05462718240ecefe1daffffd96250cfc84588f4
                                            • Instruction Fuzzy Hash: 0441BFB1D103099FDB14CFEAD884ADEFBB5BF48314F24852AE919AB210D7749845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AF5364, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00AF5421
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 4aacac179ecf12698286831197a8c29df2198eacee01e4d5737afa412ffe0b37
                                            • Instruction ID: ea4bdbca574e79fbcce875d89c848d44cb156dede72e31421a7940b0464aee60
                                            • Opcode Fuzzy Hash: 4aacac179ecf12698286831197a8c29df2198eacee01e4d5737afa412ffe0b37
                                            • Instruction Fuzzy Hash: 904113B0C0461CCEDB24CFA9C844BDEBBB5BF49309F248069E609AB251D775598ACF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AF38A8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00AF5421
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 7a222640286236cc721dcd906a00a8ac9c20554c685faf25823b3f88f44765be
                                            • Instruction ID: 3e3ff447aab392518e3a64b016faeb8323234de3d1f2c6076be9503b13a2e27c
                                            • Opcode Fuzzy Hash: 7a222640286236cc721dcd906a00a8ac9c20554c685faf25823b3f88f44765be
                                            • Instruction Fuzzy Hash: 0C4104B0C0461CCFDB24CFA9C84479EBBB5BF49309F158069E509AB251D775598ACF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AFB970, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AFB9FF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 943cc36cc79fb3fa00bbd001ece047a45b175ee0ee48bd6d93dfec589376c4fa
                                            • Instruction ID: a25093df78537da925ed4ba54a5d5d9cc930b825e340cbcacb45fa18bb0566d2
                                            • Opcode Fuzzy Hash: 943cc36cc79fb3fa00bbd001ece047a45b175ee0ee48bd6d93dfec589376c4fa
                                            • Instruction Fuzzy Hash: BF21E3B59102499FDF10CFA9D884AEEFBF4FB48364F14801AE919A3310D374A955CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AFB978, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AFB9FF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 572f2af3149e3d2f0f799e84ab55dfff48cc3e7844784db04b16ed3fabf71981
                                            • Instruction ID: b78bdffdf8bd641b5753dd4d7c2ce1510087467e5c03e8b4576761e6f71fc46d
                                            • Opcode Fuzzy Hash: 572f2af3149e3d2f0f799e84ab55dfff48cc3e7844784db04b16ed3fabf71981
                                            • Instruction Fuzzy Hash: 9121D5B59002499FDB10CFA9D484ADEFBF4FB48364F14841AE915A7310D374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AF98B0, Relevance: 1.6, APIs: 1, Instructions: 60libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00AF9711,00000800,00000000,00000000), ref: 00AF9922
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 419f28a1ceda4a3229001c8c80ac1337aa54569b527e72e700eb7fd55108c5d5
                                            • Instruction ID: dd4c1c9cc7fdae66d86a9d1704a4aee4839b926bc69d11b20ada5a3cd2da6eaa
                                            • Opcode Fuzzy Hash: 419f28a1ceda4a3229001c8c80ac1337aa54569b527e72e700eb7fd55108c5d5
                                            • Instruction Fuzzy Hash: FE215BB6C002489FDB20CF9AD484BEFFBF4AB58314F05801EE515A7210C375A905CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AF87C0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00AF9711,00000800,00000000,00000000), ref: 00AF9922
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: e5986d79ec94578d27097ea7d8868d597fc254b1b2734aaf6cdd9679489b7689
                                            • Instruction ID: cf1b280a86be536f45caa9adf50cf762d4f98795eeda91d73d11855c38245713
                                            • Opcode Fuzzy Hash: e5986d79ec94578d27097ea7d8868d597fc254b1b2734aaf6cdd9679489b7689
                                            • Instruction Fuzzy Hash: 9D1103B69002099FDB10CF9AC484BEFFBF4EB98314F15842EE915A7210C3B4A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AF9630, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00AF9696
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: fe9c56d28b4c82c7ed264925ac4978096912789437a440a04f8c7aaae0c25922
                                            • Instruction ID: 3ea9d0ed51abdc7742b06f5755ae48db98311e9616f9df477cd41693d3b3bdfb
                                            • Opcode Fuzzy Hash: fe9c56d28b4c82c7ed264925ac4978096912789437a440a04f8c7aaae0c25922
                                            • Instruction Fuzzy Hash: 0C11DFB5D006498FDB10CF9AC444BDEFBF4AB88324F14841AD929A7600D379A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A9D4C4, Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491438797.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8b075abaa46a07bc29f4c00393c64a3a5ea3ecea643a07655517616040ffa638
                                            • Instruction ID: 1f15115856e5707c56f773d8158bc86ec5815ec03f459f1d6b821afe32b61103
                                            • Opcode Fuzzy Hash: 8b075abaa46a07bc29f4c00393c64a3a5ea3ecea643a07655517616040ffa638
                                            • Instruction Fuzzy Hash: 5C2137B2604240DFCF01DF14D9C0B26BFB5FB98328F25C569E9054B246C336D896CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A9D3D8, Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491438797.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3fc7748599e42f5b32406963cc2ba5a648820892f2dad9922f89a7c3f3fa42a5
                                            • Instruction ID: 64653e9e417802c27db3e5b8df5d45befa1e8d4c3b264f105425cc8f27cf2511
                                            • Opcode Fuzzy Hash: 3fc7748599e42f5b32406963cc2ba5a648820892f2dad9922f89a7c3f3fa42a5
                                            • Instruction Fuzzy Hash: CA2128B5604240DFDF00DF10D9C0B26BBA5FBD4324F24C569E9054F24AC336E896C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AAD01C, Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491513538.0000000000AAD000.00000040.00000001.sdmp, Offset: 00AAD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 639bf42c14fc8110951ce50b2394ad6115517eb10807dbcfd2648b40ef28f43b
                                            • Instruction ID: 51b7180c12b0b433bde4cdfa637e72ea1e0413f1f460f22c27ecacd3ea3277e9
                                            • Opcode Fuzzy Hash: 639bf42c14fc8110951ce50b2394ad6115517eb10807dbcfd2648b40ef28f43b
                                            • Instruction Fuzzy Hash: 512104B5508240DFCB14DF20D9C0B26BB65FB89318F24C9A9E98B4B686C336D847CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A9D4BF, Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491438797.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f69d7024cdfcefd926ead02efcbb901b97aad1906707df055ccf3b322d20e9c3
                                            • Instruction ID: 89d453448baf06d42b78fefca872b9d3d1d8bfdb25dadaa2f7b272361b28571e
                                            • Opcode Fuzzy Hash: f69d7024cdfcefd926ead02efcbb901b97aad1906707df055ccf3b322d20e9c3
                                            • Instruction Fuzzy Hash: 4511E676504280CFCF11CF10D5C4B16BFB1FB84324F28C6A9D8454B656C336D896CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A9D3D3, Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491438797.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f69d7024cdfcefd926ead02efcbb901b97aad1906707df055ccf3b322d20e9c3
                                            • Instruction ID: 76c74ec30013599b9b26caeea77abb82b97f8ab6cea3e0b7f53096b07dd2b06a
                                            • Opcode Fuzzy Hash: f69d7024cdfcefd926ead02efcbb901b97aad1906707df055ccf3b322d20e9c3
                                            • Instruction Fuzzy Hash: 4011D376504280DFCF11CF10D5C4B16BFB1FB94324F28C6A9D8090B656C33AE896CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AAD017, Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491513538.0000000000AAD000.00000040.00000001.sdmp, Offset: 00AAD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e260aa7d4eec5616febf4142ed0a95566a9e8ae1fbabd20c8ce5c2b41f68a8cc
                                            • Instruction ID: 7c0cae949929d8f9fd307c5e51dc03e2823a9dfdb99a4403ca02ba126c2dc10a
                                            • Opcode Fuzzy Hash: e260aa7d4eec5616febf4142ed0a95566a9e8ae1fbabd20c8ce5c2b41f68a8cc
                                            • Instruction Fuzzy Hash: 20119075504280DFCB11CF14D5C4B15FB71FB45314F28C6AAD84A4BA96C33AD85BCB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A9D731, Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491438797.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 811efb7de7ac5b2f0393a09f0a72593906bca74512f071d704b81ff361a85a61
                                            • Instruction ID: 339062d73a91c6393dcf16c3731cda8955992e2fe35e81846c53ff58716c1289
                                            • Opcode Fuzzy Hash: 811efb7de7ac5b2f0393a09f0a72593906bca74512f071d704b81ff361a85a61
                                            • Instruction Fuzzy Hash: 9201A77160C3449AEB108B65CDC4766BBE8EF51364F18C459ED045F286D378D884C6B2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A9D730, Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491438797.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 21460039381a4985b4ecf60206d3afa16cc258419c0547760bd920bb661bd181
                                            • Instruction ID: b8a7c47360ee1f37dcb44ceb75c28fbf282c480dd71f57f6eaf2e4d46a668216
                                            • Opcode Fuzzy Hash: 21460039381a4985b4ecf60206d3afa16cc258419c0547760bd920bb661bd181
                                            • Instruction Fuzzy Hash: E7F062715082449EEB108B16CDC4B62FBE8EF91774F18C55AED085F286C3789884CAB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 003667F6, Relevance: .5, Instructions: 464COMMONCrypto
                                            Download Yara Rule
                                            C-Code - Quality: 78%
                                            			E003667F6(intOrPtr* __eax, void* __ecx, void* __edx, signed int __edi, signed int __esi) {
				signed char _t201;
				signed char _t202;
				intOrPtr* _t203;
				void* _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				intOrPtr* _t212;
				intOrPtr* _t213;
				intOrPtr* _t214;
				intOrPtr* _t215;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed char _t221;
				signed char _t222;
				signed char _t223;
				signed char _t224;
				signed int _t225;
				signed int _t226;
				signed char _t228;
				signed char _t229;
				signed char _t230;
				signed char _t232;
				signed int _t234;
				intOrPtr* _t235;
				intOrPtr* _t236;
				signed char _t238;
				signed int _t239;
				signed int _t240;
				signed char _t241;
				signed char _t242;
				void* _t243;
				intOrPtr* _t244;
				intOrPtr* _t245;
				intOrPtr* _t246;
				intOrPtr* _t247;
				intOrPtr* _t248;
				intOrPtr* _t249;
				intOrPtr* _t250;
				signed int _t251;
				signed int _t252;
				signed char _t254;
				signed int _t255;
				signed int _t258;
				intOrPtr* _t260;
				intOrPtr* _t263;
				signed int _t266;
				signed char _t267;
				intOrPtr* _t269;
				signed char _t271;
				signed char _t272;
				intOrPtr* _t273;
				void* _t277;
				signed int* _t278;
				signed int* _t280;
				intOrPtr* _t283;
				intOrPtr _t284;
				intOrPtr* _t288;
				void* _t290;
				signed char _t291;
				void* _t292;
				intOrPtr* _t293;
				signed int* _t294;
				void* _t295;
				signed char _t296;
				signed int _t299;
				signed int _t300;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t308;
				void* _t309;
				intOrPtr* _t311;
				signed char _t312;
				void* _t313;
				void* _t314;

				_t302 = __esi;
				_t299 = __edi;
				_t292 = __edx;
				_t201 = _t312;
				_t313 = __eax +  *__eax;
				 *_t201 =  *_t201 & _t201;
				 *_t201 =  *_t201 + _t201;
				 *((intOrPtr*)(__esi - 0x3fb41f8)) =  *((intOrPtr*)(__esi - 0x3fb41f8)) + _t201;
				_t202 = _t201 + 0x20ac0004;
				 *_t202 =  *_t202 + _t202;
				 *_t202 =  *_t202 + _t202;
				_t269 =  *_t202;
				 *_t202 = __ecx;
				 *((intOrPtr*)(_t269 + _t202)) = 0xc0000406;
				 *_t202 =  *_t202 & _t202;
				 *_t202 =  *_t202 + _t202;
				 *((intOrPtr*)(__esi + 0x6120618)) =  *((intOrPtr*)(__esi + 0x6120618)) + _t202;
				 *0x212400 =  *0x212400 + _t202;
				 *_t202 =  *_t202 + _t202;
				_t203 = _t202 + _t202;
				 *((intOrPtr*)(__esi + 0x500480f)) =  *((intOrPtr*)(__esi + 0x500480f)) + _t269;
				 *_t269 =  *_t269 + __edx;
				 *_t203 =  *_t203 + _t203;
				 *((intOrPtr*)(__edx + 0xf)) =  *((intOrPtr*)(__edx + 0xf)) + _t269;
				_t205 = _t203 + _t203 - 1;
				 *__esi =  *__esi + _t205;
				 *_t269 =  *_t269 + _t205;
				asm("les eax, [eax]");
				asm("adc [esi], ecx");
				es = ss;
				 *((intOrPtr*)(__esi + 0x21)) =  *((intOrPtr*)(__esi + 0x21)) + __edx;
				_t206 = _t205 + _t205;
				_t271 = _t269 + __edx |  *__esi;
				 *_t206 =  *_t206 | _t206;
				 *_t206 =  *_t206 + _t206;
				 *_t206 =  *_t206 + _t206;
				asm("les eax, [eax]");
				if( *_t206 >= 0) {
					_pop(es);
					_push(es);
					 *_t206 =  *_t206 | _t206;
					 *__esi =  *__esi | _t206;
					 *_t206 =  *_t206 + _t206;
					 *_t206 =  *_t206 + _t206;
					asm("les eax, [eax]");
					asm("adc eax, 0x3f000a00");
					 *[es:eax] =  *[es:eax] + _t206;
				}
				 *_t206 =  *_t206 + _t206;
				 *_t206 =  *_t206 + 0x61641;
				_t207 = _t206 |  *_t206;
				_push(_t207);
				 *[es:eax] =  *[es:eax] + _t207;
				 *_t207 =  *_t207 + _t207;
				_t208 = _t302;
				_t303 = _t207;
				 *(_t303 + 0xb060d10) =  *(_t303 + 0xb060d10) | _t208;
				 *((intOrPtr*)(_t208 + 0x26)) =  *((intOrPtr*)(_t208 + 0x26)) + _t271;
				 *_t208 =  *_t208 + _t208;
				 *_t208 =  *_t208 + _t208;
				_t209 = _t303;
				_t304 = _t208;
				 *(_t271 + 0xb060d05) =  *(_t271 + 0xb060d05) | 0x00000007;
				 *((intOrPtr*)(_t299 + 0x26)) =  *((intOrPtr*)(_t299 + 0x26)) + 7;
				 *_t209 =  *_t209 + _t209;
				 *_t209 =  *_t209 + _t209;
				_t260 =  *_t209;
				 *_t209 = 7;
				_push(es);
				asm("adc al, [esi]");
				 *_t260 =  *_t260 + _t271;
				 *((intOrPtr*)(_t209 + 0x26)) =  *((intOrPtr*)(_t209 + 0x26)) + _t271;
				 *((intOrPtr*)(_t304 + 0x6120618)) =  *((intOrPtr*)(_t304 + 0x6120618)) + _t209;
				 *_t260 =  *_t260 + _t271;
				 *((intOrPtr*)(_t209 + 0x26)) =  *((intOrPtr*)(_t209 + 0x26)) + _t209;
				 *((intOrPtr*)(_t271 - 0x2cfde600)) =  *((intOrPtr*)(_t271 - 0x2cfde600)) + _t209;
				_t272 = _t271 +  *_t260;
				_t210 = _t209 + _t209;
				asm("daa");
				 *_t210 =  *_t210 + _t210;
				 *_t210 =  *_t210 + _t210;
				 *_t210 =  *_t210 + 0x6110292;
				_t211 = _t210 | 0x00283800;
				 *_t211 =  *_t211 + _t211;
				_t212 = _t211 + _t211;
				 *((intOrPtr*)(_t260 + 0x10001507)) =  *((intOrPtr*)(_t260 + 0x10001507)) + _t292;
				 *((intOrPtr*)(_t212 + 0x28)) =  *((intOrPtr*)(_t212 + 0x28)) + _t292;
				 *_t212 =  *_t212 + _t212;
				 *_t212 =  *_t212 + _t212;
				 *_t212 =  *_t212 + 0x61641;
				asm("adc [eax], eax");
				asm("stosd");
				_t213 = _t212 -  *_t212;
				 *_t213 =  *_t213 + _t213;
				 *((intOrPtr*)(_t304 + 0x6120618)) =  *((intOrPtr*)(_t304 + 0x6120618)) + _t213;
				 *_t272 =  *_t272 + _t292;
				_t293 = _t292 + _t292;
				_t214 = _t213 -  *_t213;
				 *_t214 =  *_t214 + _t214;
				 *((intOrPtr*)(_t272 + 0x19166200)) =  *((intOrPtr*)(_t272 + 0x19166200)) + _t214;
				_push(es);
				asm("adc [eax], eax");
				asm("fsubr qword [ebx]");
				 *_t214 =  *_t214 + _t214;
				 *_t214 =  *_t214 + _t214;
				 *_t214 =  *_t214 + 0x62017d4;
				asm("adc eax, [eax]");
				_t314 = _t313 + 1;
				_t215 = _t214;
				 *_t215 =  *_t215 + _t215;
				 *((intOrPtr*)(_t272 + 0x2c068b00)) =  *((intOrPtr*)(_t272 + 0x2c068b00)) + _t215;
				ss = es;
				 *((intOrPtr*)(_t215 + 0x2c)) =  *((intOrPtr*)(_t215 + 0x2c)) + _t260;
				 *_t215 =  *_t215 + _t215;
				 *_t215 =  *_t215 + _t215;
				 *_t215 =  *_t215 + 0x3d30225;
				asm("sbb [eax], al");
				 *0 =  *0 >> 0xc4;
				 *((intOrPtr*)(_t260 + 0x1a001507)) =  *((intOrPtr*)(_t260 + 0x1a001507)) + _t293;
				_t217 = _t215 + _t260;
				 *_t217 =  *_t217 + 0x61641;
				asm("sbb eax, [eax]");
				 *_t299 =  *_t299 & _t272;
				 *_t217 =  *_t217 + _t217;
				 *_t217 =  *_t217 + _t217;
				_t218 = _t304;
				_t305 = _t217;
				 *_t218 =  *_t218 + _t272;
				_t219 = _t218 ^  *_t305;
				asm("sbb eax, [eax]");
				if(_t219 >= 0) {
					 *_t219 =  *_t219 + _t219;
					 *_t219 =  *_t219 + _t219;
					_t308 = _t219;
					 *((intOrPtr*)(_t299 + 1)) =  *((intOrPtr*)(_t299 + 1)) + _t260;
					_t258 = _t305 ^  *_t308;
					asm("sbb al, 0x0");
					asm("enter 0x2f, 0x0");
					 *_t258 =  *_t258 + _t258;
					_t219 = _t308;
					_t305 = _t258;
					_t272 = _t272 + _t293;
					 *_t219 =  *_t219 + _t260;
					_push(es);
					asm("sbb eax, 0x302000");
					 *_t219 =  *_t219 + _t219;
					 *((intOrPtr*)(_t272 + 0x3e013100)) =  *((intOrPtr*)(_t272 + 0x3e013100)) + _t293;
					ds = es;
					 *((intOrPtr*)(_t219 + _t305)) =  *((intOrPtr*)(_t219 + _t305)) + _t260;
					 *_t219 =  *_t219 + _t219;
					 *((intOrPtr*)(_t272 + 0x4300e400)) =  *((intOrPtr*)(_t272 + 0x4300e400)) + _t293;
				}
				_t220 = _t219 + _t219;
				 *((intOrPtr*)(_t260 + 6)) =  *((intOrPtr*)(_t260 + 6)) + _t220;
				 *_t220 =  *_t220 & _t220;
				 *_t220 =  *_t220 ^ 0x00000000;
				 *_t220 =  *_t220 + _t220;
				 *((intOrPtr*)(_t272 + 0x4a016c00)) =  *((intOrPtr*)(_t272 + 0x4a016c00)) + _t293;
				_push(es);
				 *_t220 =  *_t220 & _t220;
				asm("enter 0x30, 0x0");
				 *_t220 =  *_t220 + _t220;
				_t273 =  *_t220;
				 *_t220 = _t272;
				_push(_t293);
				_push(es);
				_t221 = _t220 &  *_t220;
				 *_t273 =  *_t273 + _t293;
				 *_t221 =  *_t221 + _t221;
				 *_t221 =  *_t221 + _t221;
				 *_t221 = _t273;
				asm("enter 0x5202, 0x6");
				_t222 = _t221 & 0x00000000;
				 *_t222 =  *_t222 + _t222;
				 *_t222 =  *_t222 + _t222;
				 *_t222 =  *_t221;
				asm("fst qword [ecx]");
				asm("in al, dx");
				asm("adc [ebx], edi");
				 *0x316400 =  *0x316400 + _t314;
				 *_t222 =  *_t222 + _t222;
				 *((intOrPtr*)(_t305 - 0x8eea7f8)) =  *((intOrPtr*)(_t305 - 0x8eea7f8)) + _t222;
				_t223 = _t222 + 0x317c0026;
				 *_t223 =  *_t223 + _t223;
				 *_t223 =  *_t223 + _t223;
				_t277 =  *_t223;
				 *_t223 =  *_t222;
				_push(0x11);
				 *[es:eax+0x31] =  *[es:eax+0x31] + _t293;
				 *((intOrPtr*)(_t277 + 0x602e000)) =  *((intOrPtr*)(_t277 + 0x602e000)) + _t223;
				 *_t299 =  *_t299 + _t223;
				 *_t223 =  *_t223 + _t293;
				_t224 = _t223 ^  *_t223;
				 *_t224 =  *_t224 + _t224;
				 *((intOrPtr*)(_t277 + 0x58157700)) =  *((intOrPtr*)(_t277 + 0x58157700)) + _t224;
				_push(es);
				asm("daa");
				 *((intOrPtr*)(_t293 + _t305)) =  *((intOrPtr*)(_t293 + _t305)) + _t293;
				 *_t224 =  *_t224 + _t224;
				 *_t224 =  *_t224 + _t224;
				asm("les eax, [eax]");
				_t278 = _t277 +  *_t305;
				 *_t224 =  *_t224 - _t224;
				_t225 = _t224 ^  *_t224;
				 *_t225 =  *_t225 + _t225;
				_t278[0x1833640] = _t278[0x1833640] + _t225;
				 *_t278 = _t278 +  *_t278;
				 *((intOrPtr*)(1 + _t305)) =  *((intOrPtr*)(1 + _t305)) + _t293;
				 *_t225 =  *_t225 + _t225;
				 *_t225 =  *_t225 + _t225;
				 *_t225 =  *_t225 + 0x3d30c90;
				 *_t225 =  *_t225 - _t225;
				asm("pushad");
				_t226 = _t225 ^  *_t225;
				 *_t226 =  *_t226 + _t226;
				_t278[0x1821000] = _t278[0x1821000] + _t226;
				 *((intOrPtr*)(1)) =  *((intOrPtr*)(1)) + _t278;
				_t228 = _t226 + _t293 ^  *(_t226 + _t293);
				 *_t228 =  *_t228 + _t228;
				 *((intOrPtr*)(_t278 - 0x2cf38100)) =  *((intOrPtr*)(_t278 - 0x2cf38100)) + _t228;
				 *_t278 =  *_t278 + _t293;
				_t229 = _t228 ^ 0x00000000;
				 *_t229 =  *_t229 + _t229;
				 *((intOrPtr*)(_t278 - 0x2cf4cc00)) =  *((intOrPtr*)(_t278 - 0x2cf4cc00)) + _t229;
				_t311 = _t309 +  *((intOrPtr*)(1)) +  *0x341c00;
				 *_t229 =  *_t229 + _t229;
				 *((intOrPtr*)(_t305 + 0x5e143408)) =  *((intOrPtr*)(_t305 + 0x5e143408)) + _t229;
				_push(es);
				asm("das");
				 *_t229 =  *_t229 + _t293;
				_t230 = _t229 ^ 0x00000000;
				 *_t230 =  *_t230 + _t230;
				 *((intOrPtr*)(_t305 + 0x6120618)) =  *((intOrPtr*)(_t305 + 0x6120618)) + _t230;
				 *_t299 = _t278 +  *_t299;
				 *((intOrPtr*)(_t230 + 0x34)) =  *((intOrPtr*)(_t230 + 0x34)) + _t230;
				 *((intOrPtr*)(_t305 + 0x68025200)) =  *((intOrPtr*)(_t305 + 0x68025200)) + _t230;
				asm("das");
				_t232 = _t230 + _t293 ^ 0x00000000;
				 *_t232 =  *_t232 + _t232;
				 *((intOrPtr*)(_t305 + 0x1151c00)) =  *((intOrPtr*)(_t305 + 0x1151c00)) + _t232;
				 *_t232 =  *_t232 + _t293;
				 *((intOrPtr*)(_t311 + _t305)) =  *((intOrPtr*)(_t311 + _t305)) + _t293;
				 *_t232 =  *_t232 + _t232;
				 *((intOrPtr*)(_t305 + 0x10d3100)) =  *((intOrPtr*)(_t305 + 0x10d3100)) + _t232;
				 *_t278 =  *_t278 + _t293;
				_t234 = _t232 + 1 ^ 0x00000000;
				_t235 =  *_t234;
				 *_t235 = _t234;
				ss = es;
				_push(es);
				 *_t293 =  *_t293 + _t293;
				 *_t235 =  *_t235 + 1;
				 *[ss:eax] =  *[ss:eax] + _t235;
				 *_t235 =  *_t235 + _t235;
				_t236 =  *_t235;
				 *_t236 = _t235;
				_t238 = _t236 + 0x00000001 | 0x00000006;
				 *_t293 =  *_t293 + _t293;
				 *((intOrPtr*)(_t305 + _t305)) =  *((intOrPtr*)(_t305 + _t305)) + _t293;
				 *_t238 =  *_t238 + _t238;
				_t239 = _t238 + _t238;
				 *0x32001508 =  *((intOrPtr*)(0x32001508)) + _t293;
				 *((intOrPtr*)(_t305 + _t305)) =  *((intOrPtr*)(_t305 + _t305)) + _t278;
				 *_t239 =  *_t239 + 0x61641;
				_t240 = _t239 ^  *_t239;
				 *_t278 =  *_t278 | _t299;
				 *_t240 =  *_t240 + _t240;
				 *_t240 =  *_t240 + _t240;
				 *_t240 =  *_t240 + 0x6580001;
				_t241 = _t240 ^  *_t240;
				 *_t241 =  *_t241 + _t241;
				 *((intOrPtr*)(_t278 - 0x40f20b00)) =  *((intOrPtr*)(_t278 - 0x40f20b00)) + _t293;
				_t294 = _t293 +  *((intOrPtr*)(_t241 + _t241));
				 *_t241 =  *_t241 + _t241;
				 *((intOrPtr*)(_t305 + 0x6e051308)) =  *((intOrPtr*)(_t305 + 0x6e051308)) + _t241;
				_push(es);
				_t242 = _t241 ^ 0x00000000;
				_t280 =  &(_t278[0]) - 1;
				 *_t242 =  *_t242 + _t242;
				 *((intOrPtr*)(_t305 - 0x9fae2f8)) =  *((intOrPtr*)(_t305 - 0x9fae2f8)) + _t242;
				 *((intOrPtr*)(_t242 + _t242)) =  *((intOrPtr*)(_t242 + _t242)) + _t294;
				_push(_t294);
				 *_t242 =  *_t242 + _t242;
				 *((intOrPtr*)(_t305 + 0x79175308)) =  *((intOrPtr*)(_t305 + 0x79175308)) + _t242;
				 *0x395a00 =  *0x395a00 + _t305;
				 *_t242 =  *_t242 + _t242;
				 *((intOrPtr*)(_t305 + 0x10175c08)) =  *((intOrPtr*)(_t305 + 0x10175c08)) + _t242;
				 *0x396300 =  *0x396300 + _t294;
				 *_t242 =  *_t242 + _t242;
				 *((intOrPtr*)(_t305 + 0x74120618)) =  *((intOrPtr*)(_t305 + 0x74120618)) + _t242;
				 *[ss:ebp+0x39] =  *[ss:ebp+0x39] + 1;
				 *_t242 =  *_t242 + _t242;
				 *_t242 =  *_t242 + _t242;
				asm("sbb dword [eax], 0x61206");
				_t300 =  *_t280;
				 *_t280 = _t299;
				 *_t242 =  *_t242 + _t242;
				 *_t242 =  *_t242 + _t242;
				 *_t242 = _t280;
				_t243 = es;
				asm("adc edi, esi");
				_t244 = _t243 + 0x398f0038;
				 *_t244 =  *_t244 + _t244;
				 *_t244 =  *_t244 + _t244;
				 *_t244 =  *_t242;
				_push(0x11);
				_t245 = _t244;
				 *_t245 =  *_t245 + _t245;
				 *((intOrPtr*)(_t305 - 0x8ee22f8)) =  *((intOrPtr*)(_t305 - 0x8ee22f8)) + _t245;
				_t246 = _t245 + 0x39a00039;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				_t283 =  *_t246;
				 *_t246 =  *_t244;
				asm("in al, dx");
				asm("adc [ebx], edi");
				 *_t283 =  *_t283 + _t300;
				 *((intOrPtr*)(_t283 + _t300)) =  *((intOrPtr*)(_t283 + _t300)) + _t283;
				_t284 =  *_t246;
				 *_t246 = _t283;
				 *_t305 =  *_t305 - 1;
				if( *_t305 >= 0) {
					asm("les edi, [ecx]");
					 *_t246 =  *_t246 + _t246;
				}
				 *_t246 =  *_t246 + _t246;
				 *_t246 = _t284;
				asm("adc al, 0xf");
				 *_t305 =  *_t305 + 0x3a08003a;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				asm("lahf");
				 *_t294 =  *_t294 & 1;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				asm("scasb");
				_t295 = _t294 +  *0x80003b00;
				 *_t246 =  *_t246 + _t246;
				 *((intOrPtr*)(_t305 - 0x78f2f4f8)) =  *((intOrPtr*)(_t305 - 0x78f2f4f8)) + _t246;
				_push(es);
				_t247 = _t246;
				 *_t247 =  *_t247 + _t247;
				 *((intOrPtr*)(_t305 + 0x680d1908)) =  *((intOrPtr*)(_t305 + 0x680d1908)) + _t247;
				_push(es);
				_t248 = _t247 - 0x3b;
				 *_t248 =  *_t248 + _t248;
				 *_t248 =  *_t248 + _t248;
				_t288 =  *_t248;
				 *_t248 =  *_t246;
				 *((char*)(1)) =  *((char*)(1)) + 0x8c;
				_push(es);
				 *_t248 =  *_t248 + _t248;
				 *((intOrPtr*)(_t305 - 0x73fc70f8)) =  *((intOrPtr*)(_t305 - 0x73fc70f8)) + _t248;
				_push(es);
				 *[ds:ebx+edi] =  *[ds:ebx+edi] + 1;
				_t263 =  *_t248;
				 *_t248 = 1;
				_push(es);
				asm("adc al, [esi]");
				 *_t300 =  *_t300 + _t263;
				 *((intOrPtr*)(_t288 + 0x3c)) =  *((intOrPtr*)(_t288 + 0x3c)) + _t295;
				 *((intOrPtr*)(_t288 - 0x2cfdc700)) =  *((intOrPtr*)(_t288 - 0x2cfdc700)) + _t248;
				 *((intOrPtr*)(_t288 + 0x3c)) =  *((intOrPtr*)(_t288 + 0x3c)) + _t295;
				 *((intOrPtr*)(_t288 - 0x2cf4b600)) =  *((intOrPtr*)(_t288 - 0x2cf4b600)) + _t248;
				_t249 = _t248 +  *_t288;
				asm("pushfd");
				 *_t249 =  *_t249 + _t249;
				 *((intOrPtr*)(_t288 + 0x616e400)) =  *((intOrPtr*)(_t288 + 0x616e400)) + _t249;
				 *_t263 =  *_t263 + _t249;
				 *_t249 =  *_t249 + 0x3d310fe;
				 *((intOrPtr*)(_t311 + _t300 +  *_t300)) =  *((intOrPtr*)(_t311 + _t300 +  *_t300)) + _t249;
				 *_t249 =  *_t249 + _t249;
				 *((intOrPtr*)(_t288 - 0x2cf54700)) =  *((intOrPtr*)(_t288 - 0x2cf54700)) + _t249;
				_t250 = _t249 +  *_t311;
				asm("les eax, [eax]");
				asm("adc eax, 0xc8004700");
				 *_t250 =  *_t250 + 0x61641;
				_t251 = _t250 - 1;
				 *((intOrPtr*)(_t288 + _t251 * 2)) =  *((intOrPtr*)(_t288 + _t251 * 2)) + _t251;
				 *_t251 =  *_t251 + _t251;
				 *((intOrPtr*)(_t288 - 0x2cffe900)) =  *((intOrPtr*)(_t288 - 0x2cffe900)) + _t251;
				_t290 = _t288 +  *_t251 + 1;
				 *_t251 =  *_t251 + _t251;
				 *_t251 =  *_t251 + _t251;
				 *_t251 =  *_t251 + 0x3d30056;
				_t296 = _t295 - 1;
				 *((intOrPtr*)(_t290 + _t251 * 2)) =  *((intOrPtr*)(_t290 + _t251 * 2)) + 7;
				 *_t251 =  *_t251 + 0x3d300f2;
				_t252 = _t251 + _t290;
				_t291 = _t290 + 1;
				 *_t252 =  *_t252 + _t252;
				 *_t252 =  *_t252 + _t252;
				 *_t252 =  *_t252 + 0x3d30140;
				 *((intOrPtr*)(_t311 + 0x39)) =  *((intOrPtr*)(_t311 + 0x39)) + 7;
				 *_t252 =  *_t252 + _t252;
				 *_t252 =  *_t252 + _t252;
				asm("sbb dword [eax], 0x6");
				asm("adc al, [esi]");
				 *_t252 =  *_t252 + _t296;
				asm("adc al, 0x42");
				 *_t252 =  *_t252 + _t252;
				 *_t252 =  *_t252 + _t252;
				_t266 = _t252;
				 *(_t266 + 0x10) =  *(_t266 + 0x10) | _t291;
				_t254 = _t296;
				_push(es);
				_push(_t254);
				 *((intOrPtr*)(7 + _t254 * 2)) =  *((intOrPtr*)(7 + _t254 * 2)) + 7;
				 *_t254 =  *_t254 + _t254;
				 *((intOrPtr*)(_t266 - 0x67f8b2f8)) =  *((intOrPtr*)(_t266 - 0x67f8b2f8)) + 7;
				_push(es);
				_push(_t254);
				 *((intOrPtr*)(_t266 + 0x42)) =  *((intOrPtr*)(_t266 + 0x42)) + 7;
				 *_t254 =  *_t254 + _t254;
				 *_t254 =  *_t254 + _t254;
				_t255 = _t266;
				_t267 = _t254;
				 *(_t291 + 7) =  *(_t291 + 7) | _t267;
				asm("sahf");
				_push(es);
				_push(_t255);
				 *((intOrPtr*)(7 + _t255 * 2)) =  *((intOrPtr*)(7 + _t255 * 2)) + _t267;
				 *_t255 =  *_t255 + _t255;
				 *((intOrPtr*)(_t267 - 0x5af003f8)) =  *((intOrPtr*)(_t267 - 0x5af003f8)) + 7;
				_push(es);
				_push(_t291);
				 *((intOrPtr*)(7 + _t255 * 2)) =  *((intOrPtr*)(7 + _t255 * 2)) + _t291;
				asm("adc eax, 0x5106ab");
				return _t305 - 1;
			}





















































































                                            0x003667f6
                                            0x003667f6
                                            0x003667f6
                                            0x003667fa
                                            0x003667fa
                                            0x003667fb
                                            0x003667fd
                                            0x003667ff
                                            0x00366805
                                            0x0036680a
                                            0x0036680c
                                            0x0036680e
                                            0x0036680e
                                            0x00366810
                                            0x00366817
                                            0x00366819
                                            0x0036681b
                                            0x00366821
                                            0x00366827
                                            0x00366829
                                            0x0036682b
                                            0x00366831
                                            0x00366835
                                            0x00366839
                                            0x0036683c
                                            0x0036683d
                                            0x0036683f
                                            0x00366846
                                            0x00366849
                                            0x0036684c
                                            0x0036684d
                                            0x00366853
                                            0x00366857
                                            0x0036685a
                                            0x0036685e
                                            0x00366860
                                            0x00366862
                                            0x00366864
                                            0x00366866
                                            0x00366867
                                            0x00366868
                                            0x0036686a
                                            0x0036686c
                                            0x0036686e
                                            0x00366870
                                            0x00366874
                                            0x00366879
                                            0x00366879
                                            0x0036687c
                                            0x0036687e
                                            0x00366884
                                            0x00366886
                                            0x00366887
                                            0x0036688a
                                            0x0036688c
                                            0x0036688c
                                            0x0036688d
                                            0x00366893
                                            0x00366896
                                            0x00366898
                                            0x0036689a
                                            0x0036689a
                                            0x0036689b
                                            0x003668a1
                                            0x003668a4
                                            0x003668a6
                                            0x003668a8
                                            0x003668a8
                                            0x003668aa
                                            0x003668ab
                                            0x003668ad
                                            0x003668af
                                            0x003668b5
                                            0x003668bb
                                            0x003668bd
                                            0x003668c3
                                            0x003668c9
                                            0x003668cb
                                            0x003668cd
                                            0x003668ce
                                            0x003668d0
                                            0x003668d2
                                            0x003668d8
                                            0x003668dd
                                            0x003668df
                                            0x003668e1
                                            0x003668e7
                                            0x003668ea
                                            0x003668ec
                                            0x003668ee
                                            0x003668f4
                                            0x003668f6
                                            0x003668f7
                                            0x003668f9
                                            0x003668fb
                                            0x00366901
                                            0x00366903
                                            0x00366905
                                            0x00366907
                                            0x00366909
                                            0x0036690f
                                            0x00366910
                                            0x00366912
                                            0x00366914
                                            0x00366916
                                            0x00366918
                                            0x0036691e
                                            0x00366920
                                            0x00366921
                                            0x00366923
                                            0x00366925
                                            0x0036692c
                                            0x0036692d
                                            0x00366930
                                            0x00366932
                                            0x00366934
                                            0x0036693a
                                            0x0036693c
                                            0x00366943
                                            0x0036694b
                                            0x00366950
                                            0x00366956
                                            0x00366958
                                            0x0036695a
                                            0x0036695c
                                            0x0036695e
                                            0x0036695e
                                            0x0036695f
                                            0x00366962
                                            0x00366964
                                            0x00366966
                                            0x00366968
                                            0x0036696a
                                            0x0036696c
                                            0x0036696d
                                            0x00366970
                                            0x00366972
                                            0x00366974
                                            0x00366978
                                            0x0036697a
                                            0x0036697a
                                            0x0036697b
                                            0x0036697d
                                            0x0036697f
                                            0x00366980
                                            0x00366985
                                            0x00366987
                                            0x0036698e
                                            0x0036698f
                                            0x00366993
                                            0x00366995
                                            0x00366995
                                            0x00366997
                                            0x00366999
                                            0x0036699c
                                            0x0036699e
                                            0x003669a1
                                            0x003669a3
                                            0x003669a9
                                            0x003669aa
                                            0x003669ac
                                            0x003669b0
                                            0x003669b2
                                            0x003669b2
                                            0x003669b6
                                            0x003669b7
                                            0x003669b8
                                            0x003669ba
                                            0x003669bc
                                            0x003669be
                                            0x003669c0
                                            0x003669c2
                                            0x003669c6
                                            0x003669ca
                                            0x003669cc
                                            0x003669ce
                                            0x003669d0
                                            0x003669de
                                            0x003669df
                                            0x003669e1
                                            0x003669e7
                                            0x003669e9
                                            0x003669ef
                                            0x003669f4
                                            0x003669f6
                                            0x003669f8
                                            0x003669f8
                                            0x003669fa
                                            0x003669fe
                                            0x00366a05
                                            0x00366a0b
                                            0x00366a0d
                                            0x00366a0f
                                            0x00366a11
                                            0x00366a13
                                            0x00366a19
                                            0x00366a1a
                                            0x00366a1b
                                            0x00366a1e
                                            0x00366a20
                                            0x00366a22
                                            0x00366a25
                                            0x00366a28
                                            0x00366a2b
                                            0x00366a2d
                                            0x00366a2f
                                            0x00366a35
                                            0x00366a37
                                            0x00366a3a
                                            0x00366a3c
                                            0x00366a3e
                                            0x00366a44
                                            0x00366a46
                                            0x00366a47
                                            0x00366a49
                                            0x00366a4b
                                            0x00366a51
                                            0x00366a55
                                            0x00366a57
                                            0x00366a59
                                            0x00366a61
                                            0x00366a63
                                            0x00366a65
                                            0x00366a67
                                            0x00366a6d
                                            0x00366a73
                                            0x00366a75
                                            0x00366a7b
                                            0x00366a7c
                                            0x00366a7d
                                            0x00366a7f
                                            0x00366a81
                                            0x00366a83
                                            0x00366a89
                                            0x00366a8b
                                            0x00366a91
                                            0x00366a98
                                            0x00366a9b
                                            0x00366a9d
                                            0x00366a9f
                                            0x00366aa5
                                            0x00366aa7
                                            0x00366aab
                                            0x00366aad
                                            0x00366ab3
                                            0x00366ab7
                                            0x00366abc
                                            0x00366abc
                                            0x00366abe
                                            0x00366ac0
                                            0x00366ac1
                                            0x00366ac3
                                            0x00366ac5
                                            0x00366ac8
                                            0x00366aca
                                            0x00366aca
                                            0x00366acd
                                            0x00366acf
                                            0x00366ad1
                                            0x00366ad5
                                            0x00366ad7
                                            0x00366ad9
                                            0x00366adf
                                            0x00366ae6
                                            0x00366aec
                                            0x00366aee
                                            0x00366af0
                                            0x00366af2
                                            0x00366af4
                                            0x00366afa
                                            0x00366aff
                                            0x00366b01
                                            0x00366b07
                                            0x00366b0d
                                            0x00366b0f
                                            0x00366b15
                                            0x00366b16
                                            0x00366b18
                                            0x00366b1b
                                            0x00366b1d
                                            0x00366b23
                                            0x00366b26
                                            0x00366b29
                                            0x00366b2b
                                            0x00366b31
                                            0x00366b37
                                            0x00366b39
                                            0x00366b3f
                                            0x00366b45
                                            0x00366b47
                                            0x00366b4e
                                            0x00366b52
                                            0x00366b54
                                            0x00366b56
                                            0x00366b5e
                                            0x00366b5e
                                            0x00366b60
                                            0x00366b62
                                            0x00366b64
                                            0x00366b66
                                            0x00366b67
                                            0x00366b69
                                            0x00366b6e
                                            0x00366b70
                                            0x00366b72
                                            0x00366b74
                                            0x00366b7a
                                            0x00366b7d
                                            0x00366b7f
                                            0x00366b85
                                            0x00366b8a
                                            0x00366b8c
                                            0x00366b8e
                                            0x00366b8e
                                            0x00366b90
                                            0x00366b91
                                            0x00366b93
                                            0x00366b95
                                            0x00366b9c
                                            0x00366b9c
                                            0x00366b9e
                                            0x00366ba0
                                            0x00366ba4
                                            0x00366ba6
                                            0x00366ba6
                                            0x00366ba8
                                            0x00366baa
                                            0x00366bac
                                            0x00366bae
                                            0x00366bb4
                                            0x00366bb6
                                            0x00366bba
                                            0x00366bc0
                                            0x00366bc2
                                            0x00366bc4
                                            0x00366bc8
                                            0x00366bc9
                                            0x00366bd1
                                            0x00366bd3
                                            0x00366bd9
                                            0x00366bdc
                                            0x00366bdf
                                            0x00366be1
                                            0x00366be7
                                            0x00366bea
                                            0x00366bec
                                            0x00366bee
                                            0x00366bf0
                                            0x00366bf0
                                            0x00366bf2
                                            0x00366bf5
                                            0x00366bfb
                                            0x00366bfd
                                            0x00366c03
                                            0x00366c04
                                            0x00366c0c
                                            0x00366c0c
                                            0x00366c0e
                                            0x00366c0f
                                            0x00366c11
                                            0x00366c13
                                            0x00366c19
                                            0x00366c21
                                            0x00366c27
                                            0x00366c2d
                                            0x00366c30
                                            0x00366c33
                                            0x00366c35
                                            0x00366c3b
                                            0x00366c44
                                            0x00366c4b
                                            0x00366c4f
                                            0x00366c51
                                            0x00366c57
                                            0x00366c60
                                            0x00366c64
                                            0x00366c6e
                                            0x00366c74
                                            0x00366c75
                                            0x00366c79
                                            0x00366c7b
                                            0x00366c85
                                            0x00366c86
                                            0x00366c88
                                            0x00366c8a
                                            0x00366c90
                                            0x00366c91
                                            0x00366c98
                                            0x00366c9f
                                            0x00366ca1
                                            0x00366ca2
                                            0x00366ca4
                                            0x00366ca6
                                            0x00366cad
                                            0x00366cb0
                                            0x00366cb2
                                            0x00366cb4
                                            0x00366cb7
                                            0x00366cb9
                                            0x00366cbc
                                            0x00366cbe
                                            0x00366cc0
                                            0x00366cc2
                                            0x00366cc3
                                            0x00366cc6
                                            0x00366cc7
                                            0x00366cc8
                                            0x00366cc9
                                            0x00366ccd
                                            0x00366ccf
                                            0x00366cd5
                                            0x00366cd6
                                            0x00366cd7
                                            0x00366cda
                                            0x00366cdc
                                            0x00366cde
                                            0x00366cde
                                            0x00366cdf
                                            0x00366ce2
                                            0x00366ce3
                                            0x00366ce4
                                            0x00366ce5
                                            0x00366ce9
                                            0x00366ceb
                                            0x00366cf1
                                            0x00366cf2
                                            0x00366cf3
                                            0x00366cfd
                                            0x00366d02

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.489807860.0000000000362000.00000002.00020000.sdmp, Offset: 00360000, based on PE: true
                                            • Associated: 00000000.00000002.489761793.0000000000360000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ace0f92fb0c8d9fb4af9613a7b2a1177bf9fa2821bb5c8564da6a0003701150a
                                            • Instruction ID: fc05b12109439b045a6995de04668641d307bf5ec87a0ad4e58f34fd868cd9f1
                                            • Opcode Fuzzy Hash: ace0f92fb0c8d9fb4af9613a7b2a1177bf9fa2821bb5c8564da6a0003701150a
                                            • Instruction Fuzzy Hash: 2D12FD6644E7D19FC7138B748CB5A827FB0AE13204B5E89DBC0C1CF1A3E259596AC762
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AFE630, Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 22e924609cf7f350c5dfca4317368638ad6a58da2c956eaf4238ccc2be785f84
                                            • Instruction ID: 171dfc2de223bab516ca7a43a23a4183bfe13bd94c57709ab11770eec149f1dd
                                            • Opcode Fuzzy Hash: 22e924609cf7f350c5dfca4317368638ad6a58da2c956eaf4238ccc2be785f84
                                            • Instruction Fuzzy Hash: 381280B2495B46CED310CF66ED985C93BA1BBC5328B90C709D2653AAF1D7B8114ECF84
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AFC1D4, Relevance: .3, Instructions: 265COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5ca36ac292be66f965467493f3b694fb4d36fdeb3e5d5bf52d163ff8a5641862
                                            • Instruction ID: 3f6d80a991412ca90a1e6dc7624b6c40d7df7fa3f34b706aa6c814e58b242d9d
                                            • Opcode Fuzzy Hash: 5ca36ac292be66f965467493f3b694fb4d36fdeb3e5d5bf52d163ff8a5641862
                                            • Instruction Fuzzy Hash: FAA14B32E0061D8FCF15DFE5C9445EEBBB3FF85310B15856AE905AB261DB71A905CB80
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DA5B78, Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f482ad5f990cd0f668da7c6ad0870682997daea4ca6091d3fcb47c0cf71d5886
                                            • Instruction ID: 26e2884bf71b38875dfa3ea988b7b41747cdf27c5e4a03070060a74df81e581f
                                            • Opcode Fuzzy Hash: f482ad5f990cd0f668da7c6ad0870682997daea4ca6091d3fcb47c0cf71d5886
                                            • Instruction Fuzzy Hash: 60D1D831D10A5A8ADB10EF68D990ADDB3B1FFD5300F60CB9AD10977255EB70AAC8CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04DA5B77, Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.497970301.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b1390c41047f7a6f0a2b010c8a1c476a8fa2e968fd10c4b4df60df019be52ed
                                            • Instruction ID: 9e42668dcae58c5ae2dd33e6638713553a8268de4b31876d81d6cf6f3f4a965a
                                            • Opcode Fuzzy Hash: 2b1390c41047f7a6f0a2b010c8a1c476a8fa2e968fd10c4b4df60df019be52ed
                                            • Instruction Fuzzy Hash: C4D1D831D10A5A8ADB10EF68D990ADDB3B1FFD5300F60CB9AD10977255EB70AAC9CB41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00AFE620, Relevance: .2, Instructions: 224COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.491696500.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 36f822a7ae5f524b808ffb0b19e2b49ec010f55a4ff140c3698447e022986bcd
                                            • Instruction ID: e79ca547131e436ced337bef09d7d95056ab16f3a220ca3a72b06026d92dbd5c
                                            • Opcode Fuzzy Hash: 36f822a7ae5f524b808ffb0b19e2b49ec010f55a4ff140c3698447e022986bcd
                                            • Instruction Fuzzy Hash: 7CC1E3B2851B46CED710CF66ED885C97BA1BBC5328B51C719D2617BAE0D7B8108ECF84
                                            Uniqueness

                                            Uniqueness Score: -1.00%