Loading ...

Play interactive tourEdit tour

Windows Analysis Report XP010-61.exe

Overview

General Information

Sample Name:XP010-61.exe
Analysis ID:458939
MD5:c40a4ead5c31e5f00820dcf91fb47348
SHA1:48a1b03337c4082d774fbed23c1abc88493ba6a0
SHA256:ea58d9344f7ec384cc7fe907419d649bb18f0d35b6b5c19004602d8d00611823
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • XP010-61.exe (PID: 6064 cmdline: 'C:\Users\user\Desktop\XP010-61.exe' MD5: C40A4EAD5C31E5F00820DCF91FB47348)
    • XP010-61.exe (PID: 5596 cmdline: {path} MD5: C40A4EAD5C31E5F00820DCF91FB47348)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "sales@roplantpakistan.com", "Password": "ro3000GPD", "Host": "mail.roplantpakistan.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.498217654.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000F.00000002.498217654.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.XP010-61.exe.40e3028.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.XP010-61.exe.40e3028.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                15.2.XP010-61.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  15.2.XP010-61.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.XP010-61.exe.40e3028.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 15.2.XP010-61.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sales@roplantpakistan.com", "Password": "ro3000GPD", "Host": "mail.roplantpakistan.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: XP010-61.exeVirustotal: Detection: 38%Perma Link
                      Source: XP010-61.exeMetadefender: Detection: 34%Perma Link
                      Source: XP010-61.exeReversingLabs: Detection: 85%
                      Machine Learning detection for sampleShow sources
                      Source: XP010-61.exeJoe Sandbox ML: detected
                      Source: 15.2.XP010-61.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: XP010-61.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: XP010-61.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: XP010-61.exe, 0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: XP010-61.exe, 0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: XP010-61.exe, 0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: http://ZlZwxG.com
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: XP010-61.exe, 00000000.00000002.317808537.00000000017A7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comX?
                      Source: XP010-61.exe, 00000000.00000002.317808537.00000000017A7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: XP010-61.exe, 00000000.00000002.317808537.00000000017A7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: XP010-61.exe, 0000000F.00000002.498217654.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: XP010-61.exe, 0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 15.2.XP010-61.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b69593ADEu002d002Bu002d4B50u002d9FE8u002d0D25C9B34462u007d/u0030F5F2F44u002d1F7Bu002d4F87u002dA141u002d9D264B8558F5.csLarge array initialization: .cctor: array initializer size 11942
                      .NET source code contains very large stringsShow sources
                      Source: XP010-61.exe, ImageSilder/Transitions/Star.csLong String: Length: 24686
                      Source: 0.0.XP010-61.exe.be0000.0.unpack, ImageSilder/Transitions/Star.csLong String: Length: 24686
                      Source: 0.2.XP010-61.exe.be0000.0.unpack, ImageSilder/Transitions/Star.csLong String: Length: 24686
                      Source: 15.0.XP010-61.exe.770000.0.unpack, ImageSilder/Transitions/Star.csLong String: Length: 24686
                      Source: 15.2.XP010-61.exe.770000.1.unpack, ImageSilder/Transitions/Star.csLong String: Length: 24686
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_00BE66650_2_00BE6665
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077536D30_2_077536D3
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077525E00_2_077525E0
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077561300_2_07756130
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077539C00_2_077539C0
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_07757FE80_2_07757FE8
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_07757FD80_2_07757FD8
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_07753E790_2_07753E79
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077516280_2_07751628
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077516180_2_07751618
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_07750D580_2_07750D58
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_07750D490_2_07750D49
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077525A50_2_077525A5
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_0775A4580_2_0775A458
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_07751A980_2_07751A98
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_07751A890_2_07751A89
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077561220_2_07756122
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077531180_2_07753118
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077501C00_2_077501C0
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077501B00_2_077501B0
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077530F90_2_077530F9
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077530C00_2_077530C0
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077518A00_2_077518A0
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 0_2_077518900_2_07751890
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 15_2_0077666515_2_00776665
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 15_2_012C46A015_2_012C46A0
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 15_2_012C467215_2_012C4672
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 15_2_012C469015_2_012C4690
                      Source: C:\Users\user\Desktop\XP010-61.exeCode function: 15_2_012CDA0015_2_012CDA00
                      Source: XP010-61.exe, 00000000.00000002.321250844.00000000042D8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs XP010-61.exe
                      Source: XP010-61.exe, 00000000.00000002.316500996.0000000000CBE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKWlS8RbM.exe< vs XP010-61.exe
                      Source: XP010-61.exe, 00000000.00000002.331666674.0000000007470000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs XP010-61.exe
                      Source: XP010-61.exe, 00000000.00000002.318033273.0000000002F81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBNodJotrRnuePTBKbNDNxteKM.exe4 vs XP010-61.exe
                      Source: XP010-61.exe, 0000000F.00000002.503706448.0000000005190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs XP010-61.exe
                      Source: XP010-61.exe, 0000000F.00000002.498217654.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameBNodJotrRnuePTBKbNDNxteKM.exe4 vs XP010-61.exe
                      Source: XP010-61.exe, 0000000F.00000000.315895133.000000000084E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKWlS8RbM.exe< vs XP010-61.exe
                      Source: XP010-61.exeBinary or memory string: OriginalFilenameKWlS8RbM.exe< vs XP010-61.exe
                      Source: XP010-61.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: XP010-61.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 15.2.XP010-61.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 15.2.XP010-61.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/0
                      Source: C:\Users\user\Desktop\XP010-61.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XP010-61.exe.logJump to behavior
                      Source: XP010-61.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\XP010-61.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\XP010-61.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: XP010-61.exeVirustotal: Detection: 38%
                      Source: XP010-61.exeMetadefender: Detection: 34%
                      Source: XP010-61.exeReversingLabs: Detection: 85%
                      Source: unknownProcess created: C:\Users\user\Desktop\XP010-61.exe 'C:\Users\user\Desktop\XP010-61.exe'
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess created: C:\Users\user\Desktop\XP010-61.exe {path}
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess created: C:\Users\user\Desktop\XP010-61.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: XP010-61.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: XP010-61.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: XP010-61.exe, Form2.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.XP010-61.exe.be0000.0.unpack, Form2.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.XP010-61.exe.be0000.0.unpack, Form2.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 15.0.XP010-61.exe.770000.0.unpack, Form2.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 15.2.XP010-61.exe.770000.1.unpack, Form2.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.62675761354
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: XP010-61.exe PID: 6064, type: MEMORYSTR
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\XP010-61.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\XP010-61.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: XP010-61.exe, 00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: XP010-61.exe, 00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\XP010-61.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeWindow / User API: threadDelayed 1534Jump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeWindow / User API: threadDelayed 8198Jump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exe TID: 5904Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exe TID: 1236Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exe TID: 1276Thread sleep count: 1534 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exe TID: 1276Thread sleep count: 8198 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exe TID: 1236Thread sleep count: 75 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\XP010-61.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: XP010-61.exe, 00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: XP010-61.exe, 00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: XP010-61.exe, 00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: XP010-61.exe, 00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: XP010-61.exe, 00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: XP010-61.exe, 00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: XP010-61.exe, 00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: XP010-61.exe, 00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: XP010-61.exe, 00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\XP010-61.exeMemory written: C:\Users\user\Desktop\XP010-61.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeProcess created: C:\Users\user\Desktop\XP010-61.exe {path}Jump to behavior
                      Source: XP010-61.exe, 0000000F.00000002.500585460.0000000001680000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: XP010-61.exe, 0000000F.00000002.500585460.0000000001680000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: XP010-61.exe, 0000000F.00000002.500585460.0000000001680000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                      Source: XP010-61.exe, 0000000F.00000002.500585460.0000000001680000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: XP010-61.exe, 0000000F.00000002.500585460.0000000001680000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Users\user\Desktop\XP010-61.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Users\user\Desktop\XP010-61.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\XP010-61.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.XP010-61.exe.40e3028.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.XP010-61.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XP010-61.exe.40e3028.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.498217654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.320456284.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.XP010-61.exe.40e3028.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.XP010-61.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XP010-61.exe.40e3028.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.498217654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.320456284.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: XP010-61.exe PID: 5596, type: MEMORYSTR
                      Source: Yara matchFile source: 0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: XP010-61.exe PID: 5596, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.XP010-61.exe.40e3028.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.XP010-61.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XP010-61.exe.40e3028.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.498217654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.320456284.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.XP010-61.exe.40e3028.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.XP010-61.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.XP010-61.exe.40e3028.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.498217654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.320456284.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: XP010-61.exe PID: 5596, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery113SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      XP010-61.exe38%VirustotalBrowse
                      XP010-61.exe40%MetadefenderBrowse
                      XP010-61.exe86%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      XP010-61.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      15.2.XP010-61.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://ZlZwxG.com0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.fontbureau.como0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.fontbureau.comX?0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1XP010-61.exe, 0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.apache.org/licenses/LICENSE-2.0XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                        high
                        http://www.fontbureau.comXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                          high
                          http://www.fontbureau.com/designersGXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                            high
                            http://DynDns.comDynDNSXP010-61.exe, 0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers/?XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                              high
                              http://www.founder.com.cn/cn/bTheXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haXP010-61.exe, 0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers?XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                high
                                http://www.tiro.comXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designersXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.goodfont.co.krXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://ZlZwxG.comXP010-61.exe, 0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.carterandcone.comlXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.sajatypeworks.comXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.typography.netDXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.founder.com.cn/cn/cTheXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://fontfabrik.comXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.comgritaXP010-61.exe, 00000000.00000002.317808537.00000000017A7000.00000004.00000040.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.founder.com.cn/cnXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.jiyu-kobo.co.jp/XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.comoXP010-61.exe, 00000000.00000002.317808537.00000000017A7000.00000004.00000040.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.galapagosdesign.com/DPleaseXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designers8XP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.fonts.comXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.sandoll.co.krXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.urwpp.deDPleaseXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.zhongyicts.com.cnXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.sakkal.comXP010-61.exe, 00000000.00000002.328898303.0000000007092000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.comX?XP010-61.exe, 00000000.00000002.317808537.00000000017A7000.00000004.00000040.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipXP010-61.exe, 0000000F.00000002.498217654.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown

                                          Contacted IPs

                                          No contacted IP infos

                                          General Information

                                          Joe Sandbox Version:33.0.0 White Diamond
                                          Analysis ID:458939
                                          Start date:03.08.2021
                                          Start time:22:12:27
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 7m 18s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:XP010-61.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:24
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@3/1@0/0
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 0.6% (good quality ratio 0.5%)
                                          • Quality average: 46.3%
                                          • Quality standard deviation: 30.3%
                                          HCA Information:
                                          • Successful, ratio: 98%
                                          • Number of executed functions: 29
                                          • Number of non-executed functions: 18
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          22:14:00API Interceptor472x Sleep call for process: XP010-61.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASN

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XP010-61.exe.log
                                          Process:C:\Users\user\Desktop\XP010-61.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.630173322947926
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:XP010-61.exe
                                          File size:914432
                                          MD5:c40a4ead5c31e5f00820dcf91fb47348
                                          SHA1:48a1b03337c4082d774fbed23c1abc88493ba6a0
                                          SHA256:ea58d9344f7ec384cc7fe907419d649bb18f0d35b6b5c19004602d8d00611823
                                          SHA512:00a84c0b2da23cb2f8a187c395f3edbde3c9e47ce897845d162f1eb42dd406aa54af4beb0539c98985b9ea23b04446c6dda230cd3e1586bf28439548280a23d5
                                          SSDEEP:12288:DxGdp+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvXEUKBuGrfk:1GBUKgGpdNRiQnx8Ly5
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0......L......r.... ........@.. .......................`............@................................

                                          File Icon

                                          Icon Hash:b04c9e9ab2c66a92

                                          Static PE Info

                                          General

                                          Entrypoint:0x4dc572
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x6101FABC [Thu Jul 29 00:47:56 2021 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xdc5200x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xde0000x4968.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xda5780xda600False0.83744231182data7.62675761354IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0xde0000x49680x4a00False0.932749155405data7.86601731149IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xe40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0xde1300x42c1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                          RT_GROUP_ICON0xe23f40x14data
                                          RT_VERSION0xe24080x374data
                                          RT_MANIFEST0xe277c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2015
                                          Assembly Version1.0.0.0
                                          InternalNameKWlS8RbM.exe
                                          FileVersion1.0.0.0
                                          CompanyNamesmAbdullah.com
                                          LegalTrademarks
                                          CommentsCreated By Sm.Abdullah
                                          ProductNameImageControls
                                          ProductVersion1.0.0.0
                                          FileDescriptionImageControls
                                          OriginalFilenameKWlS8RbM.exe

                                          Network Behavior

                                          No network behavior found

                                          Code Manipulations

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Start time:22:13:20
                                          Start date:03/08/2021
                                          Path:C:\Users\user\Desktop\XP010-61.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\XP010-61.exe'
                                          Imagebase:0xbe0000
                                          File size:914432 bytes
                                          MD5 hash:C40A4EAD5C31E5F00820DCF91FB47348
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.318235272.0000000002FDF000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.320456284.0000000003F89000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.320456284.0000000003F89000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Start time:22:14:01
                                          Start date:03/08/2021
                                          Path:C:\Users\user\Desktop\XP010-61.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0x770000
                                          File size:914432 bytes
                                          MD5 hash:C40A4EAD5C31E5F00820DCF91FB47348
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.498217654.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.498217654.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.500664729.0000000002B91000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Disassembly

                                          Code Analysis

                                          Reset < >

                                            Executed Functions

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: {{U
                                            • API String ID: 0-2754708353
                                            • Opcode ID: 0982f5d3df44589b8c19f3119c10e7e459c77635b57955bfd1baed518b873f58
                                            • Instruction ID: 821bb222c6afa22ca701c824b1d8adf8573463a48cd80d6dd7888f9c92b9f62a
                                            • Opcode Fuzzy Hash: 0982f5d3df44589b8c19f3119c10e7e459c77635b57955bfd1baed518b873f58
                                            • Instruction Fuzzy Hash: EFD199B4A14309CFCB44EFA4E594A9DBBF2FB48355B20C46AE816DB325DB309946CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: {{U
                                            • API String ID: 0-2754708353
                                            • Opcode ID: f85dbcf59c2f7bf68dd9eab3088f56cd8922b3b19065df53b4240963da1e642f
                                            • Instruction ID: 43912a9a7f1b1489de2c4c64de9978d59f861b453983680ad1fae449b3fc9ac5
                                            • Opcode Fuzzy Hash: f85dbcf59c2f7bf68dd9eab3088f56cd8922b3b19065df53b4240963da1e642f
                                            • Instruction Fuzzy Hash: 49D156B4A14309CFCB44EFA9E594A5DBBF2FB48355B20C46AE816DB325DB309949CF10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b1432b34c59486c47d0b41072cc032e33b1bd03878b758e746864f460e1ec46
                                            • Instruction ID: 73023092c1ff73bd682dd9fe978699917bce5bc05fc2db38e6ce2dbc0a5ec5cf
                                            • Opcode Fuzzy Hash: 1b1432b34c59486c47d0b41072cc032e33b1bd03878b758e746864f460e1ec46
                                            • Instruction Fuzzy Hash: 63B15AB4E042598FCB04CFE9C54159EFBF2BF8A394F24C12AD805AB354DB749942CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 56cbde29ba976f21f3affe6e4431c8bb3d10fb8860cc1f05384810d286cb79d6
                                            • Instruction ID: bf4b1ab2d84d05caaebc116ca40a38cdc09df573717e2f856c1a0460c5c68a3b
                                            • Opcode Fuzzy Hash: 56cbde29ba976f21f3affe6e4431c8bb3d10fb8860cc1f05384810d286cb79d6
                                            • Instruction Fuzzy Hash: BE512CB1E1461A8BDB68CF66C8447E9FBB6FFC9300F10C5AAD50DA7614EB705A858F40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 342beef368ad40a8cede98dd029df836f4455536762fc231594ddbf3aea60d2e
                                            • Instruction ID: e946bd6d79898c6d00172b04b96c0fd6fc96972500d6aeb07043ae07b5c6d578
                                            • Opcode Fuzzy Hash: 342beef368ad40a8cede98dd029df836f4455536762fc231594ddbf3aea60d2e
                                            • Instruction Fuzzy Hash: 0141CEB5E0824A9FCB05CFA5D8515EEBFB2EF8A254F14856BC800EB321D7744A45CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e884756cf442fe0bdbac89c8cf98338acc9ca24c594807aa8746e0edafcbf58
                                            • Instruction ID: d201a2147a6beaae9b812e79bd09e35a67c071170920d4cb435d3f1888732ac6
                                            • Opcode Fuzzy Hash: 7e884756cf442fe0bdbac89c8cf98338acc9ca24c594807aa8746e0edafcbf58
                                            • Instruction Fuzzy Hash: D1413CB5E1071A8BDB68CF65C8447D9FBB2BFC9300F14C2AAD408A7614EB705A859F40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 07757EF3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 6a34c84d0f9a1ef25fced00415ec601c5813b5287a8ab7c700626c975f22cad9
                                            • Instruction ID: 8c358a018c33d731aa71c9954f897183cd0a521b225ac998a58dc9b47d7df83e
                                            • Opcode Fuzzy Hash: 6a34c84d0f9a1ef25fced00415ec601c5813b5287a8ab7c700626c975f22cad9
                                            • Instruction Fuzzy Hash: 6A5126B1900329DFDF24CF95C880BDDBBB6BF48314F15859AE908A7250DB705A89CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 07757EF3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: c57997e9a4765186d0e47e13126d228908490262247cad316aa295bed411121a
                                            • Instruction ID: 0e0507ba952404eb04bde885f99f0b5e5d85cd69459f904d7172dfde6681f109
                                            • Opcode Fuzzy Hash: c57997e9a4765186d0e47e13126d228908490262247cad316aa295bed411121a
                                            • Instruction Fuzzy Hash: 115116B1904329DFDF24CF95C880BDDBBB6BF48314F05849AE908A7250DB705A89CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07758A65
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: d0a186b1eab51ad94483468e5e025900377caacf8653fdb67a1aef2c44a745e7
                                            • Instruction ID: 9865a4405e167342abc85121ff8e3a6734d108da67cde09b916939c59df627cf
                                            • Opcode Fuzzy Hash: d0a186b1eab51ad94483468e5e025900377caacf8653fdb67a1aef2c44a745e7
                                            • Instruction Fuzzy Hash: EC2105B19002599FCB10CFA9D885BDEBBF4FB48324F04842AE918E3340D778A945CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07758A65
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 31a5ed6d3f7d3a22397d9737d0f4120028cdbd90aa6e0e4b51e8b050d1cd90aa
                                            • Instruction ID: 743ded90e8a95c0fa11d6a2022fe7c5f7124c08923b5b0d8fb339755028bcedf
                                            • Opcode Fuzzy Hash: 31a5ed6d3f7d3a22397d9737d0f4120028cdbd90aa6e0e4b51e8b050d1cd90aa
                                            • Instruction Fuzzy Hash: 7421E6B19002599FCB10CF9AC885BDEBBF4FB48314F00842AE918A7340D774A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077588DF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 3be105bed25baa78bfac18bff2e1b375c3b052fa413753dd9697594f4153aa67
                                            • Instruction ID: 1c63ec841f565f511787b34b8822bb3e057f52a31a97cf4916f7092c573e5d2f
                                            • Opcode Fuzzy Hash: 3be105bed25baa78bfac18bff2e1b375c3b052fa413753dd9697594f4153aa67
                                            • Instruction Fuzzy Hash: 2321F0B69002199FCB10CF99C884BDEBBF4FB48324F00842AE918A7300D378A945DFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 07758817
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: ae9273d95f4f3959185de3c133c810af7158b58ed708e48df0cc7a78a455c6c0
                                            • Instruction ID: 70c442f281a3e5b7361e461b3722a499233f68ea4ffafc77ff2aac2af12a3839
                                            • Opcode Fuzzy Hash: ae9273d95f4f3959185de3c133c810af7158b58ed708e48df0cc7a78a455c6c0
                                            • Instruction Fuzzy Hash: CE2108B6D0061A9FCB00CF9AD9857EEFBF4FB08224F44852AD818B3740D774A9458FA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077588DF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 22c75835339d6ed50ab3267a7f4f7743ba9eea36a0439b1620a89ebd211e8f5b
                                            • Instruction ID: 246ef2255944746394b4c1f1f9766c2bc31a1e38816fec0e2a86a1ec6a29e4a2
                                            • Opcode Fuzzy Hash: 22c75835339d6ed50ab3267a7f4f7743ba9eea36a0439b1620a89ebd211e8f5b
                                            • Instruction Fuzzy Hash: A021E2B59003599FCB10CF9AC884BDEBBF4FB48320F10842AE918A7350D778A944DFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 07758817
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: 39cae093b93de95b469a0c35fcddd2969ffdc31008b3ff5165e31953af58ca00
                                            • Instruction ID: 9a4ee3ec07e0523e2bd6d03931aed571786f07b926b4cc2b37589278d393a2a6
                                            • Opcode Fuzzy Hash: 39cae093b93de95b469a0c35fcddd2969ffdc31008b3ff5165e31953af58ca00
                                            • Instruction Fuzzy Hash: 872108B1D006199FCB00CF9AC8457EEFBF4FB48224F44852AD818B3340D774A9448FA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0775899B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 988d5449289237985dcb0cd37acbca539d0458218be66c5868f96e9df6d27875
                                            • Instruction ID: b08ad261b0967759165cde194566eba1ab855224d1dca58c6e76cf7bde80c9a4
                                            • Opcode Fuzzy Hash: 988d5449289237985dcb0cd37acbca539d0458218be66c5868f96e9df6d27875
                                            • Instruction Fuzzy Hash: D81128B69042499FCB10DF99D884BEEBBF4FB48324F108419E918A7310D375A944CFA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0775899B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 981a8f8bb677b3eef8e77f940ed6157e04dcda12856a6a74f0309e00bc1974eb
                                            • Instruction ID: 9f7a006e7dba61e1f10c60692d6c1058f751cabe5d6a158a3c044ec869c71d40
                                            • Opcode Fuzzy Hash: 981a8f8bb677b3eef8e77f940ed6157e04dcda12856a6a74f0309e00bc1974eb
                                            • Instruction Fuzzy Hash: 3C11F5B59046499FCB10DF9AC884BEEBBF4FB48324F108819E929A7310C775A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 71f3b2531e850c9c9baf090cf4e087e7e9ef26feb1f5556468de7fff1a6ce57b
                                            • Instruction ID: c7d475ba8f9aecbc703b1eaa1f095839a2b8a600e893c87822e70317f4b023b8
                                            • Opcode Fuzzy Hash: 71f3b2531e850c9c9baf090cf4e087e7e9ef26feb1f5556468de7fff1a6ce57b
                                            • Instruction Fuzzy Hash: 7E1130B18002098FCB10DF99D584BDEBBF8EB48224F14881AD919B3300D378A985CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 07758F0D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: d2a62239950a1c0f7f2398e4e4e9661140edd47b1fcb39aeee680eed8450f1e0
                                            • Instruction ID: b7809b1a5f4a39bcc70d8b9104b096e269735a4e3bcf07cbf648213013b9a599
                                            • Opcode Fuzzy Hash: d2a62239950a1c0f7f2398e4e4e9661140edd47b1fcb39aeee680eed8450f1e0
                                            • Instruction Fuzzy Hash: 351106B69002099FCB10CF99D949BDEBBF8FB48324F10881AE915B7340C375A544CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 07758F0D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: d6934afc4d60e1eb274f0daa15ffb52edccdb6639ead9806a23dfe4603dfdeed
                                            • Instruction ID: 49d256121ac583b0c514001df2fdd3b1179e27a72a87e86fb59e51fff07ae862
                                            • Opcode Fuzzy Hash: d6934afc4d60e1eb274f0daa15ffb52edccdb6639ead9806a23dfe4603dfdeed
                                            • Instruction Fuzzy Hash: C011E5B58003499FDB10DF99D884BDEBBF8FB48324F108819E915A7340C375A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: f27ed7d4444c3ba66dfedb0479c694e90df72baa12c211bb8afe88869438b0bd
                                            • Instruction ID: 62ef3bdf9635ebcc305e17af682eb470d905017669e700b523961a552e23ba90
                                            • Opcode Fuzzy Hash: f27ed7d4444c3ba66dfedb0479c694e90df72baa12c211bb8afe88869438b0bd
                                            • Instruction Fuzzy Hash: 111112B18003498FCB10DF9AC484BDEBBF8EB48324F10885AD919B7300D774A944CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: ,bQ
                                            • API String ID: 0-793188631
                                            • Opcode ID: 723318bd43c1fcbecd34b53cd08dbb462b06e9396117dd9758dfc5a6d6fc14b3
                                            • Instruction ID: bf088ab46eeb163ce88fe823bd06b367b4acf9c48841de4e4a2d2cbb3baadea3
                                            • Opcode Fuzzy Hash: 723318bd43c1fcbecd34b53cd08dbb462b06e9396117dd9758dfc5a6d6fc14b3
                                            • Instruction Fuzzy Hash: F33117B0E046188BDB18CF6BD94069EFBF3BFC9345F15C0AAC908A7215EB309A458F55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID: ,bQ
                                            • API String ID: 0-793188631
                                            • Opcode ID: 23f50b9a33a461bb5a6402471e8bf2514947630e3d544590fc0de5b2d4a166e0
                                            • Instruction ID: 8f3220662fda4340033099c0c99097c10c28fdcf920096e1daae8bfc54ec7d31
                                            • Opcode Fuzzy Hash: 23f50b9a33a461bb5a6402471e8bf2514947630e3d544590fc0de5b2d4a166e0
                                            • Instruction Fuzzy Hash: 59310AB1E046188FDB08CF6BD94069EFBF3BFC9245F19C0AAD908A7215EB305A458F55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            C-Code - Quality: 71%
                                            			E00BE6665(void* __eax, signed int __ebx, intOrPtr __ecx, signed int __edi, intOrPtr* __esi, void* __fp0) {
                                            				intOrPtr* _t242;
                                            				signed int* _t243;
                                            				signed int* _t244;
                                            				signed char* _t245;
                                            				signed int _t247;
                                            				signed char* _t248;
                                            				signed char* _t249;
                                            				signed int _t250;
                                            				void* _t251;
                                            				signed int _t253;
                                            				signed int _t254;
                                            				signed int _t255;
                                            				signed int _t257;
                                            				signed int _t258;
                                            				signed int _t259;
                                            				intOrPtr* _t261;
                                            				intOrPtr* _t262;
                                            				intOrPtr* _t263;
                                            				signed int _t265;
                                            				signed int _t266;
                                            				signed int _t267;
                                            				signed int _t268;
                                            				signed char _t269;
                                            				signed char _t270;
                                            				signed char _t271;
                                            				signed char _t272;
                                            				signed int _t273;
                                            				signed int _t274;
                                            				signed char _t276;
                                            				signed char _t277;
                                            				signed char _t278;
                                            				signed char _t280;
                                            				signed int _t282;
                                            				intOrPtr* _t283;
                                            				intOrPtr* _t284;
                                            				signed char _t285;
                                            				signed char _t286;
                                            				signed int _t288;
                                            				signed int _t289;
                                            				signed char _t290;
                                            				signed char _t291;
                                            				intOrPtr* _t292;
                                            				signed char _t293;
                                            				signed char _t294;
                                            				intOrPtr* _t298;
                                            				intOrPtr* _t299;
                                            				intOrPtr* _t300;
                                            				signed int _t301;
                                            				signed int _t302;
                                            				signed int _t304;
                                            				signed int _t305;
                                            				signed int _t309;
                                            				signed int _t310;
                                            				intOrPtr* _t311;
                                            				signed char _t312;
                                            				signed int _t313;
                                            				signed int _t314;
                                            				signed int _t316;
                                            				signed char _t320;
                                            				signed char _t321;
                                            				intOrPtr* _t322;
                                            				void* _t326;
                                            				signed int* _t327;
                                            				signed int* _t329;
                                            				intOrPtr* _t332;
                                            				void* _t333;
                                            				intOrPtr* _t340;
                                            				void* _t342;
                                            				signed char _t343;
                                            				void* _t350;
                                            				intOrPtr* _t351;
                                            				signed char _t352;
                                            				signed char _t353;
                                            				intOrPtr* _t354;
                                            				void* _t355;
                                            				signed char _t356;
                                            				signed int _t357;
                                            				signed char _t358;
                                            				signed int _t359;
                                            				signed int* _t360;
                                            				intOrPtr* _t363;
                                            				signed int _t365;
                                            				signed int _t367;
                                            				signed int _t368;
                                            				intOrPtr* _t369;
                                            				signed int _t370;
                                            				signed int _t372;
                                            				intOrPtr* _t377;
                                            				signed int _t378;
                                            				signed char* _t380;
                                            				signed char* _t381;
                                            
                                            				_t359 = __edi;
                                            				_t310 = __ebx;
                                            				asm("in eax, dx");
                                            				_push(ss);
                                            				asm("adc [ebp-0x637fa9fb], bh");
                                            				asm("bsr eax, [0xf848056]");
                                            				 *0x7900AC0A =  *0x7900AC0A | __ebx;
                                            				 *0x9C00AC0A =  *((intOrPtr*)(0x9c00ac0a)) + __edi;
                                            				asm("adc eax, 0x805605bd");
                                            				asm("adc eax, 0x1055a");
                                            				asm("movsb");
                                            				asm("into");
                                            				asm("rol dword [0x2fa0001], cl");
                                            				asm("rol dword [0x15c10001], cl");
                                            				asm("into");
                                            				asm("rol dword [0x2fa0001], cl");
                                            				asm("rol dword [0x150e0001], cl");
                                            				asm("into");
                                            				asm("rol dword [0x2fa0001], cl");
                                            				asm("rol dword [0x150e0001], cl");
                                            				asm("into");
                                            				asm("rol dword [0x2fa0001], cl");
                                            				asm("rol dword [0x150e0001], cl");
                                            				asm("into");
                                            				asm("loop 0x7");
                                            				 *0x8B1D8062 =  *((intOrPtr*)(0x8b1d8062)) + 0x8b1d8062;
                                            				asm("rol dword [0x2fa0001], cl");
                                            				asm("rol dword [0x2fa0001], cl");
                                            				asm("rol dword [0x32a0001], cl");
                                            				asm("rol dword [0x10e00001], cl");
                                            				asm("into");
                                            				_t350 = ss;
                                            				asm("into");
                                            				_t351 = _t350 + __ebx;
                                            				asm("rol dword [0x18280016], cl");
                                            				asm("fild word [ecx+eax]");
                                            				 *__esi =  *__esi + __ecx;
                                            				asm("adc eax, 0x1055a");
                                            				asm("loopne 0x12");
                                            				asm("into");
                                            				asm("rol dword [0x2fa0001], cl");
                                            				asm("rol dword [0x17a0036], cl");
                                            				goto 0xee00;
                                            				_t242 = 0x8b1d8062 -  *__ebx + 0x2ae62056;
                                            				 *_t242 =  *_t242 + 7;
                                            				_t316 =  *_t242;
                                            				 *_t242 = __ecx;
                                            				asm("sbb al, [esi]");
                                            				_t243 = _t242 +  *[gs:ecx];
                                            				_t243[8] = _t243[8] + _t316;
                                            				 *_t243 =  *_t243 + 7;
                                            				 *_t243 =  *_t243 + 7;
                                            				 *_t243 = _t316;
                                            				asm("daa");
                                            				_push(es);
                                            				asm("adc eax, 0x72000100");
                                            				 *_t243 =  *_t243 & 0x00000007;
                                            				 *_t243 =  *_t243 + 7;
                                            				 *((intOrPtr*)(__esi - 0x8ee20f8)) =  *((intOrPtr*)(__esi - 0x8ee20f8)) + 7;
                                            				_t244 =  &(_t243[0x81e8000]);
                                            				 *_t244 =  *_t244 + 7;
                                            				 *_t244 =  *_t244 + 7;
                                            				 *_t244 =  *_t243;
                                            				asm("out dx, al");
                                            				asm("adc [ebx], edi");
                                            				 *_t351 =  *_t351 + _t244;
                                            				 *((intOrPtr*)(__ebx + 0x20)) =  *((intOrPtr*)(__ebx + 0x20)) + 7;
                                            				 *((intOrPtr*)(__esi - 0x8ee3cf8)) =  *((intOrPtr*)(__esi - 0x8ee3cf8)) + 7;
                                            				_t245 =  &(_t244[0x822c000]);
                                            				 *_t245 =  *_t245 + 7;
                                            				 *_t245 =  *_t245 + 7;
                                            				 *_t245 =  *_t244;
                                            				asm("rcl dword [ecx], 1");
                                            				_t247 = _t378 | __edi;
                                            				_t380 =  &(_t245[ *_t245]);
                                            				 *_t247 =  *_t247 & 0x00000007;
                                            				 *_t247 =  *_t247 + 7;
                                            				 *((intOrPtr*)(__esi - 0x3fb2cf8)) =  *((intOrPtr*)(__esi - 0x3fb2cf8)) + 7;
                                            				_t248 = _t247 + 0x20ac0004;
                                            				 *_t248 =  *_t248 + 7;
                                            				 *_t248 =  *_t248 + 7;
                                            				_t320 =  *_t248;
                                            				 *_t248 =  *_t245;
                                            				_push(es);
                                            				_t249 = _t248;
                                            				 *_t249 =  *_t249 << 0;
                                            				 *_t249 =  *_t249 + 7;
                                            				 *((intOrPtr*)(__esi + 0x6120818)) =  *((intOrPtr*)(__esi + 0x6120818)) + 7;
                                            				 *0x212400 =  *0x212400 + 7;
                                            				 *_t249 =  *_t249 + 7;
                                            				_t250 =  &(_t249[7]);
                                            				 *((intOrPtr*)(__edi + _t320 + 0x50048)) =  *((intOrPtr*)(__edi + _t320 + 0x50048)) + __ebx;
                                            				_push(_t380);
                                            				 *_t250 =  *_t250 & _t250;
                                            				 *_t250 =  *_t250 + 7;
                                            				_t251 = _t250 + 7;
                                            				 *((intOrPtr*)(_t251 + 0xf)) =  *((intOrPtr*)(_t251 + 0xf)) + __ebx;
                                            				 *__esi =  *__esi + 7;
                                            				 *_t320 =  *_t320 + 7;
                                            				asm("les eax, [eax]");
                                            				asm("sbb [ecx], dl");
                                            				_t365 = __esi - 1;
                                            				 *__edi =  *__edi + 7;
                                            				 *((intOrPtr*)(_t365 + 0x21)) =  *((intOrPtr*)(_t365 + 0x21)) + _t351;
                                            				_t253 = _t251 - 1 + 7;
                                            				_t352 = _t351 + __ebx;
                                            				_t321 = _t320 |  *_t365;
                                            				 *_t253 =  *_t253 | 0x00000007;
                                            				 *_t253 =  *_t253 + 7;
                                            				 *_t253 =  *_t253 + 7;
                                            				asm("les eax, [eax]");
                                            				if( *_t253 == 0) {
                                            					_pop(es);
                                            					_push(es);
                                            					 *_t253 =  *_t253 | _t253;
                                            					 *_t365 =  *_t365 | _t253;
                                            					 *_t253 =  *_t253 + 7;
                                            					 *_t253 =  *_t253 + 7;
                                            					asm("les eax, [eax]");
                                            					asm("rol byte [edi], 0x15");
                                            					 *_t352 =  *_t352 + _t321;
                                            					 *__edi =  *__edi + __ebx;
                                            					 *[es:eax] =  *[es:eax] + 7;
                                            				}
                                            				 *_t253 =  *_t253 + _t253;
                                            				 *_t253 =  *_t253 + 0x61643;
                                            				_t254 = _t253 |  *_t253;
                                            				_push(_t254);
                                            				 *[es:eax] =  *[es:eax] + _t254;
                                            				 *_t254 =  *_t254 + _t254;
                                            				_t255 = _t365;
                                            				 *(_t255 + 0xb060d10) =  *(_t255 + 0xb060d10) | _t321;
                                            				 *((intOrPtr*)(_t255 + 0x26)) =  *((intOrPtr*)(_t255 + 0x26)) + _t321;
                                            				 *_t255 =  *_t255 + _t255;
                                            				 *_t255 =  *_t255 + _t255;
                                            				_t367 = _t255;
                                            				_t353 = _t352 | _t321;
                                            				_t257 = _t254 + 0xb060d;
                                            				if(_t257 <= 0) {
                                            					 *_t257 =  *_t257 + _t257;
                                            					 *_t257 =  *_t257 + _t257;
                                            					_t44 = _t310;
                                            					_t310 =  *_t257;
                                            					 *_t257 = _t44;
                                            					 *_t353 =  *_t353 | _t353;
                                            					_push(es);
                                            					 *_t310 =  *_t310 + _t321;
                                            					 *((intOrPtr*)(_t257 + 0x26)) =  *((intOrPtr*)(_t257 + 0x26)) + _t321;
                                            					 *((intOrPtr*)(_t367 + 0x6120818)) =  *((intOrPtr*)(_t367 + 0x6120818)) + _t257;
                                            					 *_t310 =  *_t310 + _t321;
                                            					 *((intOrPtr*)(_t257 + 0x26)) =  *((intOrPtr*)(_t257 + 0x26)) + _t257;
                                            					 *((intOrPtr*)(_t321 - 0x2cfdd100)) =  *((intOrPtr*)(_t321 - 0x2cfdd100)) + _t257;
                                            					_t321 = _t321 +  *_t310;
                                            				}
                                            				_t258 = _t257 |  *_t257;
                                            				asm("loopne 0x29");
                                            				 *_t258 =  *_t258 + _t258;
                                            				 *_t258 =  *_t258 + _t258;
                                            				 *_t258 =  *_t258 + 0x61102a7;
                                            				_t259 = _t258 | 0x00283800;
                                            				 *_t259 =  *_t259 + _t259;
                                            				_t261 = _t259 + _t259 + _t259 + _t259;
                                            				_pop(es);
                                            				asm("adc eax, 0x70001000");
                                            				 *_t261 =  *_t261 - _t261;
                                            				 *_t261 =  *_t261 + _t261;
                                            				 *((intOrPtr*)(_t321 + 0x6164300)) =  *((intOrPtr*)(_t321 + 0x6164300)) + _t261;
                                            				 *_t321 =  *_t321 + _t353;
                                            				 *((intOrPtr*)(_t310 + 0x2b)) =  *((intOrPtr*)(_t310 + 0x2b)) + _t321;
                                            				 *((intOrPtr*)(_t367 + 0x6120818)) =  *((intOrPtr*)(_t367 + 0x6120818)) + _t261;
                                            				 *_t321 =  *_t321 + _t353;
                                            				_t354 = _t353 + _t353;
                                            				_t262 = _t261 -  *_t261;
                                            				 *_t262 =  *_t262 + _t262;
                                            				 *((intOrPtr*)(_t321 + 0x19166400)) =  *((intOrPtr*)(_t321 + 0x19166400)) + _t262;
                                            				asm("adc [eax], eax");
                                            				asm("fsubr qword [ebx]");
                                            				 *_t262 =  *_t262 + _t262;
                                            				 *_t262 =  *_t262 + _t262;
                                            				 *_t262 =  *_t262 + 0x62017d6;
                                            				asm("adc eax, [eax]");
                                            				_t381 =  &(_t380[1]);
                                            				_t263 = _t262;
                                            				 *_t263 =  *_t263 + _t263;
                                            				 *((intOrPtr*)(_t321 + 0x2c06a000)) =  *((intOrPtr*)(_t321 + 0x2c06a000)) + _t263;
                                            				ss = es;
                                            				 *((intOrPtr*)(_t263 + 0x2c)) =  *((intOrPtr*)(_t263 + 0x2c)) + _t310;
                                            				 *_t263 =  *_t263 + _t263;
                                            				 *_t263 =  *_t263 + _t263;
                                            				 *_t263 =  *_t263 + 0x3d3023a;
                                            				asm("sbb [eax], al");
                                            				 *0 =  *0 >> 0xc4;
                                            				es = es;
                                            				asm("adc eax, 0xf8001a00");
                                            				_t265 = _t263 + _t263;
                                            				 *_t265 =  *_t265 + 0x61643;
                                            				asm("sbb eax, [eax]");
                                            				 *_t359 =  *_t359 & _t321;
                                            				 *_t265 =  *_t265 + _t265;
                                            				 *_t265 =  *_t265 + _t265;
                                            				_t266 = _t367;
                                            				_t368 = _t265;
                                            				 *_t266 =  *_t266 + _t321;
                                            				_t267 = _t266 ^  *_t368;
                                            				asm("sbb eax, [eax]");
                                            				if(_t267 >= 0) {
                                            					 *_t267 =  *_t267 + _t267;
                                            					 *_t267 =  *_t267 + _t267;
                                            					_t372 = _t267;
                                            					 *((intOrPtr*)(_t359 + 1)) =  *((intOrPtr*)(_t359 + 1)) + _t310;
                                            					_t309 = _t368 ^  *_t372;
                                            					asm("sbb al, 0x0");
                                            					asm("enter 0x2f, 0x0");
                                            					 *_t309 =  *_t309 + _t309;
                                            					_t267 = _t372;
                                            					_t368 = _t309;
                                            					_t321 = _t321 + _t354;
                                            					 *_t267 =  *_t267 + _t310;
                                            					_push(es);
                                            					asm("sbb eax, 0x302000");
                                            					 *_t267 =  *_t267 + _t267;
                                            					 *((intOrPtr*)(_t321 + 0x3e013100)) =  *((intOrPtr*)(_t321 + 0x3e013100)) + _t354;
                                            					ds = es;
                                            					 *((intOrPtr*)(_t267 + _t368)) =  *((intOrPtr*)(_t267 + _t368)) + _t310;
                                            					 *_t267 =  *_t267 + _t267;
                                            					 *((intOrPtr*)(_t321 + 0x4300e400)) =  *((intOrPtr*)(_t321 + 0x4300e400)) + _t354;
                                            				}
                                            				_t268 = _t267 + _t267;
                                            				 *((intOrPtr*)(_t310 + 6)) =  *((intOrPtr*)(_t310 + 6)) + _t268;
                                            				 *_t268 =  *_t268 & _t268;
                                            				 *_t268 =  *_t268 ^ 0x00000000;
                                            				 *_t268 =  *_t268 + _t268;
                                            				 *((intOrPtr*)(_t321 + 0x4a016c00)) =  *((intOrPtr*)(_t321 + 0x4a016c00)) + _t354;
                                            				_push(es);
                                            				 *_t268 =  *_t268 & _t268;
                                            				asm("enter 0x30, 0x0");
                                            				 *_t268 =  *_t268 + _t268;
                                            				_t322 =  *_t268;
                                            				 *_t268 = _t321;
                                            				asm("enter 0x5202, 0x6");
                                            				_t269 = _t268 &  *_t268;
                                            				 *_t322 =  *_t322 + _t354;
                                            				 *_t269 =  *_t269 + _t269;
                                            				 *_t269 =  *_t269 + _t269;
                                            				 *_t269 = _t322;
                                            				_push(_t354);
                                            				_push(es);
                                            				_t270 = _t269 & 0x00000000;
                                            				 *_t270 =  *_t270 + _t270;
                                            				 *_t270 =  *_t270 + _t270;
                                            				 *_t270 =  *_t269;
                                            				asm("fist word [ecx]");
                                            				asm("out dx, al");
                                            				asm("adc [ebx], edi");
                                            				 *0x316400 =  *0x316400 + _t381;
                                            				 *_t270 =  *_t270 + _t270;
                                            				 *((intOrPtr*)(_t368 - 0x8eea5f8)) =  *((intOrPtr*)(_t368 - 0x8eea5f8)) + _t270;
                                            				_t271 = _t270 + 0x317c0026;
                                            				 *_t271 =  *_t271 + _t271;
                                            				 *_t271 =  *_t271 + _t271;
                                            				_t326 =  *_t271;
                                            				 *_t271 =  *_t270;
                                            				asm("insb");
                                            				asm("adc [ebx], edi");
                                            				 *_t368 =  &(_t381[ *_t368]);
                                            				 *((intOrPtr*)(_t271 + 0x31)) =  *((intOrPtr*)(_t271 + 0x31)) + _t354;
                                            				 *((intOrPtr*)(_t326 + 0x602f500)) =  *((intOrPtr*)(_t326 + 0x602f500)) + _t271;
                                            				 *_t359 =  *_t359 + _t271;
                                            				 *_t271 =  *_t271 + _t354;
                                            				_t272 = _t271 ^  *_t271;
                                            				 *_t272 =  *_t272 + _t272;
                                            				 *((intOrPtr*)(_t326 + 0x58157900)) =  *((intOrPtr*)(_t326 + 0x58157900)) + _t272;
                                            				_push(es);
                                            				asm("daa");
                                            				 *((intOrPtr*)(_t354 + _t368)) =  *((intOrPtr*)(_t354 + _t368)) + _t354;
                                            				 *_t272 =  *_t272 + _t272;
                                            				 *_t272 =  *_t272 + _t272;
                                            				asm("les eax, [eax]");
                                            				asm("pushad");
                                            				_t327 = _t326 +  *_t368;
                                            				 *_t272 =  *_t272 - _t272;
                                            				_t273 = _t272 ^  *_t272;
                                            				 *_t273 =  *_t273 + _t273;
                                            				_t327[0x18339c0] = _t327[0x18339c0] + _t273;
                                            				 *_t327 = _t327 +  *_t327;
                                            				 *((intOrPtr*)(_t310 + _t368)) =  *((intOrPtr*)(_t310 + _t368)) + _t354;
                                            				 *_t273 =  *_t273 + _t273;
                                            				 *_t273 =  *_t273 + _t273;
                                            				 *_t273 =  *_t273 + 0x3d30c9e;
                                            				 *_t273 =  *_t273 - _t273;
                                            				asm("pushad");
                                            				_t274 = _t273 ^  *_t273;
                                            				 *_t274 =  *_t274 + _t274;
                                            				_t327[0x1821340] = _t327[0x1821340] + _t274;
                                            				 *_t310 =  *_t310 + _t327;
                                            				_t276 = _t274 + _t354 ^  *(_t274 + _t354);
                                            				 *_t276 =  *_t276 + _t276;
                                            				 *((intOrPtr*)(_t327 - 0x2cf37300)) =  *((intOrPtr*)(_t327 - 0x2cf37300)) + _t276;
                                            				 *_t327 =  *_t327 + _t354;
                                            				_t277 = _t276 ^ 0x00000000;
                                            				 *_t277 =  *_t277 + _t277;
                                            				 *((intOrPtr*)(_t327 - 0x2cf4be00)) =  *((intOrPtr*)(_t327 - 0x2cf4be00)) + _t277;
                                            				_t377 = 0xc1000105 +  *_t310 +  *0x341c00;
                                            				 *_t277 =  *_t277 + _t277;
                                            				 *((intOrPtr*)(_t368 + 0x5e143608)) =  *((intOrPtr*)(_t368 + 0x5e143608)) + _t277;
                                            				_push(es);
                                            				asm("das");
                                            				 *_t277 =  *_t277 + _t354;
                                            				_t278 = _t277 ^ 0x00000000;
                                            				 *_t278 =  *_t278 + _t278;
                                            				 *((intOrPtr*)(_t368 + 0x6120818)) =  *((intOrPtr*)(_t368 + 0x6120818)) + _t278;
                                            				 *_t359 = _t327 +  *_t359;
                                            				 *((intOrPtr*)(_t278 + 0x34)) =  *((intOrPtr*)(_t278 + 0x34)) + _t278;
                                            				 *((intOrPtr*)(_t368 + 0x68026700)) =  *((intOrPtr*)(_t368 + 0x68026700)) + _t278;
                                            				asm("das");
                                            				_t280 = _t278 + _t354 ^ 0x00000000;
                                            				 *_t280 =  *_t280 + _t280;
                                            				 *((intOrPtr*)(_t368 + 0x1151e00)) =  *((intOrPtr*)(_t368 + 0x1151e00)) + _t280;
                                            				 *_t280 =  *_t280 + _t354;
                                            				 *((intOrPtr*)(_t377 + _t368)) =  *((intOrPtr*)(_t377 + _t368)) + _t354;
                                            				 *_t280 =  *_t280 + _t280;
                                            				 *((intOrPtr*)(_t368 + 0x10d3f00)) =  *((intOrPtr*)(_t368 + 0x10d3f00)) + _t280;
                                            				 *_t327 =  *_t327 + _t354;
                                            				_t282 = _t280 + _t310 ^ 0x00000000;
                                            				_t283 =  *_t282;
                                            				 *_t283 = _t282;
                                            				_t284 = _t283 + 1;
                                            				ss = es;
                                            				 *_t354 =  *_t354 + _t354;
                                            				 *_t284 =  *_t284 + _t310;
                                            				 *[ss:eax] =  *[ss:eax] + _t284;
                                            				 *_t284 =  *_t284 + _t284;
                                            				_t285 =  *_t284;
                                            				 *_t285 = _t284;
                                            				_t369 = _t368 - 1;
                                            				_t286 = _t285 | 0x00000006;
                                            				 *_t354 =  *_t354 + _t354;
                                            				 *((intOrPtr*)(_t369 + _t369)) =  *((intOrPtr*)(_t369 + _t369)) + _t354;
                                            				 *_t286 =  *_t286 + _t286;
                                            				_t288 = _t286 + _t286 + _t286 + _t286;
                                            				es = es;
                                            				asm("adc eax, 0xac003200");
                                            				 *[ss:eax] =  *[ss:eax] + _t288;
                                            				 *_t288 =  *_t288 + _t288;
                                            				 *_t288 =  *_t288 + 0x61643;
                                            				_t289 = _t288 ^  *_t288;
                                            				 *_t327 =  *_t327 | _t359;
                                            				 *_t289 =  *_t289 + _t289;
                                            				 *_t289 =  *_t289 + _t289;
                                            				 *_t289 =  *_t289 + 0x6580001;
                                            				_t290 = _t289 ^  *_t289;
                                            				 *_t290 =  *_t290 + _t290;
                                            				 *((intOrPtr*)(_t327 - 0x40f1fd00)) =  *((intOrPtr*)(_t327 - 0x40f1fd00)) + _t354;
                                            				_t355 = _t354 +  *((intOrPtr*)(_t290 + _t290));
                                            				 *_t290 =  *_t290 + _t290;
                                            				 *((intOrPtr*)(_t369 + 0x6e052808)) =  *((intOrPtr*)(_t369 + 0x6e052808)) + _t290;
                                            				_push(es);
                                            				_t291 = _t290 ^ 0x00000000;
                                            				_t329 =  &(_t327[0]) - 1;
                                            				 *_t291 =  *_t291 + _t291;
                                            				 *((intOrPtr*)(_t369 - 0x9facdf8)) =  *((intOrPtr*)(_t369 - 0x9facdf8)) + _t291;
                                            				 *((intOrPtr*)(_t291 + _t291)) =  *((intOrPtr*)(_t291 + _t291)) + _t355;
                                            				_push(_t355);
                                            				 *_t291 =  *_t291 + _t291;
                                            				 *((intOrPtr*)(_t369 + 0x79175508)) =  *((intOrPtr*)(_t369 + 0x79175508)) + _t291;
                                            				 *0x395a00 =  *0x395a00 + _t369;
                                            				 *_t291 =  *_t291 + _t291;
                                            				 *((intOrPtr*)(_t369 + 0x10175e08)) =  *((intOrPtr*)(_t369 + 0x10175e08)) + _t291;
                                            				 *0x396300 =  *0x396300 + _t355;
                                            				 *_t291 =  *_t291 + _t291;
                                            				 *((intOrPtr*)(_t369 + 0x74120818)) =  *((intOrPtr*)(_t369 + 0x74120818)) + _t291;
                                            				 *[ss:ebp+0x39] =  *[ss:ebp+0x39] + _t310;
                                            				 *_t291 =  *_t291 + _t291;
                                            				 *_t291 =  *_t291 + _t291;
                                            				asm("sbb dword [eax], 0x61208");
                                            				_t360 =  *_t329;
                                            				 *_t329 = _t359;
                                            				 *_t291 =  *_t291 + _t291;
                                            				 *_t291 =  *_t291 + _t291;
                                            				 *_t291 = _t329;
                                            				_t356 = es;
                                            				asm("adc edi, esi");
                                            				_t292 = _t291 + 0x398f0038;
                                            				 *_t292 =  *_t292 + _t292;
                                            				 *_t292 =  *_t292 + _t292;
                                            				 *_t292 =  *_t291;
                                            				asm("insb");
                                            				asm("adc [ebx], edi");
                                            				 *_t292 =  *_t292 + _t360;
                                            				 *((intOrPtr*)(_t292 + 0x39)) =  *((intOrPtr*)(_t292 + 0x39)) + _t310;
                                            				 *((intOrPtr*)(_t369 - 0x8ee20f8)) =  *((intOrPtr*)(_t369 - 0x8ee20f8)) + _t292;
                                            				_t293 = _t292 + 0x39a00039;
                                            				 *_t293 =  *_t293 + _t293;
                                            				 *_t293 =  *_t293 + _t293;
                                            				_t332 =  *_t293;
                                            				 *_t293 =  *_t292;
                                            				asm("out dx, al");
                                            				asm("adc [ebx], edi");
                                            				 *_t332 =  *_t332 + _t360;
                                            				 *((intOrPtr*)(_t332 + _t360)) =  *((intOrPtr*)(_t332 + _t360)) + _t332;
                                            				_t333 =  *_t293;
                                            				 *_t293 = _t332;
                                            				_t294 = _t293 | 0x0000000f;
                                            				if(_t294 >= 0) {
                                            					asm("les edi, [ecx]");
                                            					 *_t294 =  *_t294 + _t294;
                                            				}
                                            				 *_t294 =  *_t294 + _t294;
                                            				 *_t294 = _t333;
                                            				 *_t369 =  *_t369 + 0x3a08003a;
                                            				 *_t294 =  *_t294 + _t294;
                                            				 *_t294 =  *_t294 + _t294;
                                            				 *_t294 =  *_t294 &  *_t360;
                                            				 *3 =  *3 + 3;
                                            				 *3 =  *3 + 3;
                                            				 *((intOrPtr*)(_t369 + 0x1503c308)) =  *((intOrPtr*)(_t369 + 0x1503c308)) + 3;
                                            				 *_t310 =  *_t310 + _t310;
                                            				 *0x0000003D =  *((intOrPtr*)(0x3d)) + 3;
                                            				 *((intOrPtr*)(_t369 - 0x78f2e6f8)) =  *((intOrPtr*)(_t369 - 0x78f2e6f8)) + 3;
                                            				_push(es);
                                            				 *3 =  *3 + 3;
                                            				 *((intOrPtr*)(_t369 + 0x680d2708)) =  *((intOrPtr*)(_t369 + 0x680d2708)) + 3;
                                            				_push(es);
                                            				 *0xFFFFFFFFFFFFFFC8 = 0xffffffffffffffc8 +  *0xFFFFFFFFFFFFFFC8;
                                            				 *0xFFFFFFFFFFFFFFC8 = 0xffffffffffffffc8 +  *0xFFFFFFFFFFFFFFC8;
                                            				 *0xFFFFFFFFFFFFFFC8 =  *_t294;
                                            				_t298 = _t360 +  *[gs:ebx];
                                            				 *_t298 =  *_t298 + _t298;
                                            				 *_t298 =  *_t298 + _t298;
                                            				 *_t298 =  *0xFFFFFFFFFFFFFFC8 +  *((intOrPtr*)(_t369 + _t298 + 0x3b64003d));
                                            				asm("movsb");
                                            				_t340 =  *_t298 +  *((intOrPtr*)(_t369 + _t298 + 0x3b9c003e));
                                            				 *_t298 =  *_t298 + _t298;
                                            				 *_t298 =  *_t298 + _t298;
                                            				_t311 =  *_t298;
                                            				 *_t298 = _t310;
                                            				 *_t356 =  *_t356 | _t356;
                                            				_push(es);
                                            				 *0xFFFFFFFFFFFFFFC8 =  *0xFFFFFFFFFFFFFFC8 + _t311;
                                            				 *((intOrPtr*)(_t340 + 0x3c)) =  *((intOrPtr*)(_t340 + 0x3c)) + _t356;
                                            				 *((intOrPtr*)(_t340 - 0x2cfdb200)) =  *((intOrPtr*)(_t340 - 0x2cfdb200)) + _t298;
                                            				_t363 = 0xffffffffffffffc8 +  *0xFFFFFFFFFFFFFFC8;
                                            				 *((intOrPtr*)(_t340 + 0x3c)) =  *((intOrPtr*)(_t340 + 0x3c)) + _t356;
                                            				 *((intOrPtr*)(_t340 - 0x2cf4a800)) =  *((intOrPtr*)(_t340 - 0x2cf4a800)) + _t298;
                                            				_t299 = _t298 +  *_t340;
                                            				asm("pushfd");
                                            				 *_t299 =  *_t299 + _t299;
                                            				 *((intOrPtr*)(_t340 + 0x616e600)) =  *((intOrPtr*)(_t340 + 0x616e600)) + _t299;
                                            				 *_t311 =  *_t311 + _t299;
                                            				 *_t299 =  *_t299 + 0x3d31100;
                                            				_t312 = _t311 + 1;
                                            				 *((intOrPtr*)(_t377 + _t363)) =  *((intOrPtr*)(_t377 + _t363)) + 3;
                                            				 *_t299 =  *_t299 + _t299;
                                            				 *((intOrPtr*)(_t340 - 0x2cf53a00)) =  *((intOrPtr*)(_t340 - 0x2cf53a00)) + _t299;
                                            				_t300 = _t299 +  *_t377;
                                            				asm("les eax, [eax]");
                                            				asm("rol byte [edi], 0x15");
                                            				 *_t363 =  *_t363 + _t300;
                                            				asm("enter 0x3d, 0x0");
                                            				 *_t300 =  *_t300 + _t300;
                                            				 *_t300 =  *_t300 + 0x61643;
                                            				_t301 = _t300 - 1;
                                            				 *((intOrPtr*)(_t340 + _t301 * 2)) =  *((intOrPtr*)(_t340 + _t301 * 2)) + 3;
                                            				 *_t301 =  *_t301 + _t301;
                                            				 *((intOrPtr*)(_t340 - 0x2cffe900)) =  *((intOrPtr*)(_t340 - 0x2cffe900)) + _t301;
                                            				_t342 = _t340 +  *_t301 + 1;
                                            				 *_t301 =  *_t301 + _t301;
                                            				 *_t301 =  *_t301 + _t301;
                                            				 *_t301 =  *_t301 + 0x3d30056;
                                            				_t357 = _t356 - 1;
                                            				 *((intOrPtr*)(_t342 + _t301 * 2)) =  *((intOrPtr*)(_t342 + _t301 * 2)) + _t312;
                                            				 *_t301 =  *_t301 + 0x3d300f2;
                                            				_t302 = _t301 + _t342;
                                            				_t343 = _t342 + 1;
                                            				 *_t302 =  *_t302 + _t302;
                                            				 *_t302 =  *_t302 + _t302;
                                            				 *_t302 =  *_t302 + 0x3d30140;
                                            				_t370 = _t369 - 1;
                                            				 *((intOrPtr*)(_t377 + 0x39)) =  *((intOrPtr*)(_t377 + 0x39)) + _t312;
                                            				 *_t302 =  *_t302 + _t302;
                                            				 *_t302 =  *_t302 + _t302;
                                            				asm("sbb dword [eax], 0x8");
                                            				asm("adc al, [esi]");
                                            				 *_t302 =  *_t302 + _t357;
                                            				asm("adc al, 0x42");
                                            				 *_t302 =  *_t302 + _t302;
                                            				 *_t302 =  *_t302 + _t302;
                                            				_t313 = _t302;
                                            				 *(_t377 + 0x10) =  *(_t377 + 0x10) | _t343;
                                            				_t304 = _t357;
                                            				_t358 = _t312;
                                            				_push(es);
                                            				_push(_t304);
                                            				 *((intOrPtr*)(_t358 + _t304 * 2)) =  *((intOrPtr*)(_t358 + _t304 * 2)) + _t313;
                                            				 *_t304 =  *_t304 + _t304;
                                            				 *((intOrPtr*)(_t313 - 0x67f8a5f8)) =  *((intOrPtr*)(_t313 - 0x67f8a5f8)) + _t358;
                                            				_push(es);
                                            				_push(_t304);
                                            				 *((intOrPtr*)(_t313 + 0x42)) =  *((intOrPtr*)(_t313 + 0x42)) + _t358;
                                            				 *_t304 =  *_t304 + _t304;
                                            				 *_t304 =  *_t304 + _t304;
                                            				_t305 = _t313;
                                            				_t314 = _t304;
                                            				 *(_t370 + 7) =  *(_t370 + 7) | _t305;
                                            				asm("sahf");
                                            				_push(es);
                                            				_push(_t305);
                                            				 *((intOrPtr*)(_t358 + _t305 * 2)) =  *((intOrPtr*)(_t358 + _t305 * 2)) + _t314;
                                            				 *_t305 =  *_t305 + _t305;
                                            				 *((intOrPtr*)(_t314 - 0x5afe55f8)) =  *((intOrPtr*)(_t314 - 0x5afe55f8)) + _t358;
                                            				_push(es);
                                            				_push(_t343);
                                            				 *((intOrPtr*)(_t358 + _t305 * 2)) =  *((intOrPtr*)(_t358 + _t305 * 2)) + _t343;
                                            				asm("adc eax, 0x5106ab");
                                            				return _t370 | _t358;
                                            			}






























































































                                            0x00be6665
                                            0x00be6665
                                            0x00be666a
                                            0x00be666b
                                            0x00be6671
                                            0x00be6677
                                            0x00be6683
                                            0x00be6689
                                            0x00be668f
                                            0x00be669b
                                            0x00be66a0
                                            0x00be66a8
                                            0x00be66ae
                                            0x00be66b4
                                            0x00be66c6
                                            0x00be66d2
                                            0x00be66d8
                                            0x00be66e4
                                            0x00be66f0
                                            0x00be66f6
                                            0x00be6702
                                            0x00be6708
                                            0x00be670e
                                            0x00be671a
                                            0x00be6726
                                            0x00be6728
                                            0x00be672c
                                            0x00be6732
                                            0x00be6738
                                            0x00be673e
                                            0x00be6744
                                            0x00be675c
                                            0x00be6762
                                            0x00be6773
                                            0x00be677a
                                            0x00be6780
                                            0x00be6783
                                            0x00be6785
                                            0x00be678a
                                            0x00be678c
                                            0x00be6792
                                            0x00be6798
                                            0x00be679e
                                            0x00be67a5
                                            0x00be67aa
                                            0x00be67ac
                                            0x00be67ac
                                            0x00be67ae
                                            0x00be67b0
                                            0x00be67b3
                                            0x00be67b6
                                            0x00be67b8
                                            0x00be67ba
                                            0x00be67bc
                                            0x00be67bd
                                            0x00be67be
                                            0x00be67c3
                                            0x00be67c5
                                            0x00be67c7
                                            0x00be67cd
                                            0x00be67d2
                                            0x00be67d4
                                            0x00be67d6
                                            0x00be67d8
                                            0x00be67d9
                                            0x00be67db
                                            0x00be67dd
                                            0x00be67e3
                                            0x00be67e9
                                            0x00be67ee
                                            0x00be67f0
                                            0x00be67f2
                                            0x00be67f4
                                            0x00be67fa
                                            0x00be67fa
                                            0x00be67fb
                                            0x00be67fd
                                            0x00be67ff
                                            0x00be6805
                                            0x00be680a
                                            0x00be680c
                                            0x00be680e
                                            0x00be680e
                                            0x00be6813
                                            0x00be6814
                                            0x00be6816
                                            0x00be6819
                                            0x00be681b
                                            0x00be6821
                                            0x00be6827
                                            0x00be6829
                                            0x00be682b
                                            0x00be6832
                                            0x00be6833
                                            0x00be6835
                                            0x00be6837
                                            0x00be6839
                                            0x00be683d
                                            0x00be683f
                                            0x00be6846
                                            0x00be6848
                                            0x00be684a
                                            0x00be684b
                                            0x00be684d
                                            0x00be6853
                                            0x00be6855
                                            0x00be6857
                                            0x00be685a
                                            0x00be685e
                                            0x00be6860
                                            0x00be6862
                                            0x00be6864
                                            0x00be6866
                                            0x00be6867
                                            0x00be6868
                                            0x00be686a
                                            0x00be686c
                                            0x00be686e
                                            0x00be6870
                                            0x00be6872
                                            0x00be6875
                                            0x00be6877
                                            0x00be6879
                                            0x00be6879
                                            0x00be687c
                                            0x00be687e
                                            0x00be6884
                                            0x00be6886
                                            0x00be6887
                                            0x00be688a
                                            0x00be688c
                                            0x00be688d
                                            0x00be6893
                                            0x00be6896
                                            0x00be6898
                                            0x00be689a
                                            0x00be689b
                                            0x00be689d
                                            0x00be68a2
                                            0x00be68a4
                                            0x00be68a6
                                            0x00be68a8
                                            0x00be68a8
                                            0x00be68a8
                                            0x00be68aa
                                            0x00be68ac
                                            0x00be68ad
                                            0x00be68af
                                            0x00be68b5
                                            0x00be68bb
                                            0x00be68bd
                                            0x00be68c3
                                            0x00be68c9
                                            0x00be68c9
                                            0x00be68ca
                                            0x00be68cc
                                            0x00be68ce
                                            0x00be68d0
                                            0x00be68d2
                                            0x00be68d8
                                            0x00be68dd
                                            0x00be68e1
                                            0x00be68e3
                                            0x00be68e4
                                            0x00be68e9
                                            0x00be68eb
                                            0x00be68ed
                                            0x00be68f3
                                            0x00be68f5
                                            0x00be68fb
                                            0x00be6901
                                            0x00be6903
                                            0x00be6905
                                            0x00be6907
                                            0x00be6909
                                            0x00be6910
                                            0x00be6912
                                            0x00be6914
                                            0x00be6916
                                            0x00be6918
                                            0x00be691e
                                            0x00be6920
                                            0x00be6921
                                            0x00be6923
                                            0x00be6925
                                            0x00be692c
                                            0x00be692d
                                            0x00be6930
                                            0x00be6932
                                            0x00be6934
                                            0x00be693a
                                            0x00be693c
                                            0x00be6945
                                            0x00be6946
                                            0x00be694b
                                            0x00be6950
                                            0x00be6956
                                            0x00be6958
                                            0x00be695a
                                            0x00be695c
                                            0x00be695e
                                            0x00be695e
                                            0x00be695f
                                            0x00be6962
                                            0x00be6964
                                            0x00be6966
                                            0x00be6968
                                            0x00be696a
                                            0x00be696c
                                            0x00be696d
                                            0x00be6970
                                            0x00be6972
                                            0x00be6974
                                            0x00be6978
                                            0x00be697a
                                            0x00be697a
                                            0x00be697b
                                            0x00be697d
                                            0x00be697f
                                            0x00be6980
                                            0x00be6985
                                            0x00be6987
                                            0x00be698e
                                            0x00be698f
                                            0x00be6993
                                            0x00be6995
                                            0x00be6995
                                            0x00be6997
                                            0x00be6999
                                            0x00be699c
                                            0x00be699e
                                            0x00be69a1
                                            0x00be69a3
                                            0x00be69a9
                                            0x00be69aa
                                            0x00be69ac
                                            0x00be69b0
                                            0x00be69b2
                                            0x00be69b2
                                            0x00be69b4
                                            0x00be69b8
                                            0x00be69ba
                                            0x00be69bc
                                            0x00be69be
                                            0x00be69c0
                                            0x00be69c4
                                            0x00be69c5
                                            0x00be69c6
                                            0x00be69ca
                                            0x00be69cc
                                            0x00be69ce
                                            0x00be69d0
                                            0x00be69de
                                            0x00be69df
                                            0x00be69e1
                                            0x00be69e7
                                            0x00be69e9
                                            0x00be69ef
                                            0x00be69f4
                                            0x00be69f6
                                            0x00be69f8
                                            0x00be69f8
                                            0x00be69fa
                                            0x00be69fb
                                            0x00be69fd
                                            0x00be69ff
                                            0x00be6a05
                                            0x00be6a0b
                                            0x00be6a0d
                                            0x00be6a0f
                                            0x00be6a11
                                            0x00be6a13
                                            0x00be6a19
                                            0x00be6a1a
                                            0x00be6a1b
                                            0x00be6a1e
                                            0x00be6a20
                                            0x00be6a22
                                            0x00be6a24
                                            0x00be6a25
                                            0x00be6a28
                                            0x00be6a2b
                                            0x00be6a2d
                                            0x00be6a2f
                                            0x00be6a35
                                            0x00be6a37
                                            0x00be6a3a
                                            0x00be6a3c
                                            0x00be6a3e
                                            0x00be6a44
                                            0x00be6a46
                                            0x00be6a47
                                            0x00be6a49
                                            0x00be6a4b
                                            0x00be6a51
                                            0x00be6a55
                                            0x00be6a57
                                            0x00be6a59
                                            0x00be6a61
                                            0x00be6a63
                                            0x00be6a65
                                            0x00be6a67
                                            0x00be6a6d
                                            0x00be6a73
                                            0x00be6a75
                                            0x00be6a7b
                                            0x00be6a7c
                                            0x00be6a7d
                                            0x00be6a7f
                                            0x00be6a81
                                            0x00be6a83
                                            0x00be6a89
                                            0x00be6a8b
                                            0x00be6a91
                                            0x00be6a98
                                            0x00be6a9b
                                            0x00be6a9d
                                            0x00be6a9f
                                            0x00be6aa5
                                            0x00be6aa7
                                            0x00be6aab
                                            0x00be6aad
                                            0x00be6ab3
                                            0x00be6ab7
                                            0x00be6abc
                                            0x00be6abc
                                            0x00be6abe
                                            0x00be6abf
                                            0x00be6ac1
                                            0x00be6ac3
                                            0x00be6ac5
                                            0x00be6ac8
                                            0x00be6aca
                                            0x00be6aca
                                            0x00be6acc
                                            0x00be6acd
                                            0x00be6acf
                                            0x00be6ad1
                                            0x00be6ad5
                                            0x00be6ad9
                                            0x00be6adb
                                            0x00be6adc
                                            0x00be6ae1
                                            0x00be6ae4
                                            0x00be6ae6
                                            0x00be6aec
                                            0x00be6aee
                                            0x00be6af0
                                            0x00be6af2
                                            0x00be6af4
                                            0x00be6afa
                                            0x00be6aff
                                            0x00be6b01
                                            0x00be6b07
                                            0x00be6b0d
                                            0x00be6b0f
                                            0x00be6b15
                                            0x00be6b16
                                            0x00be6b18
                                            0x00be6b1b
                                            0x00be6b1d
                                            0x00be6b23
                                            0x00be6b26
                                            0x00be6b29
                                            0x00be6b2b
                                            0x00be6b31
                                            0x00be6b37
                                            0x00be6b39
                                            0x00be6b3f
                                            0x00be6b45
                                            0x00be6b47
                                            0x00be6b4e
                                            0x00be6b52
                                            0x00be6b54
                                            0x00be6b56
                                            0x00be6b5e
                                            0x00be6b5e
                                            0x00be6b60
                                            0x00be6b62
                                            0x00be6b64
                                            0x00be6b66
                                            0x00be6b67
                                            0x00be6b69
                                            0x00be6b6e
                                            0x00be6b70
                                            0x00be6b72
                                            0x00be6b74
                                            0x00be6b75
                                            0x00be6b77
                                            0x00be6b79
                                            0x00be6b7f
                                            0x00be6b85
                                            0x00be6b8a
                                            0x00be6b8c
                                            0x00be6b8e
                                            0x00be6b8e
                                            0x00be6b90
                                            0x00be6b91
                                            0x00be6b93
                                            0x00be6b95
                                            0x00be6b9c
                                            0x00be6b9c
                                            0x00be6b9e
                                            0x00be6ba0
                                            0x00be6ba4
                                            0x00be6ba6
                                            0x00be6ba6
                                            0x00be6ba8
                                            0x00be6baa
                                            0x00be6bae
                                            0x00be6bb4
                                            0x00be6bb6
                                            0x00be6bb8
                                            0x00be6bbf
                                            0x00be6bc3
                                            0x00be6bc5
                                            0x00be6bcb
                                            0x00be6bcd
                                            0x00be6bd3
                                            0x00be6bd9
                                            0x00be6bdf
                                            0x00be6be1
                                            0x00be6be7
                                            0x00be6bec
                                            0x00be6bee
                                            0x00be6bf0
                                            0x00be6bf2
                                            0x00be6bfa
                                            0x00be6bfc
                                            0x00be6bfe
                                            0x00be6c00
                                            0x00be6c01
                                            0x00be6c08
                                            0x00be6c0a
                                            0x00be6c0c
                                            0x00be6c0c
                                            0x00be6c0e
                                            0x00be6c10
                                            0x00be6c11
                                            0x00be6c13
                                            0x00be6c19
                                            0x00be6c1f
                                            0x00be6c21
                                            0x00be6c27
                                            0x00be6c2d
                                            0x00be6c30
                                            0x00be6c33
                                            0x00be6c35
                                            0x00be6c3b
                                            0x00be6c44
                                            0x00be6c4a
                                            0x00be6c4b
                                            0x00be6c4f
                                            0x00be6c51
                                            0x00be6c57
                                            0x00be6c60
                                            0x00be6c62
                                            0x00be6c65
                                            0x00be6c68
                                            0x00be6c6c
                                            0x00be6c6e
                                            0x00be6c74
                                            0x00be6c75
                                            0x00be6c79
                                            0x00be6c7b
                                            0x00be6c85
                                            0x00be6c86
                                            0x00be6c88
                                            0x00be6c8a
                                            0x00be6c90
                                            0x00be6c91
                                            0x00be6c98
                                            0x00be6c9f
                                            0x00be6ca1
                                            0x00be6ca2
                                            0x00be6ca4
                                            0x00be6ca6
                                            0x00be6cac
                                            0x00be6cad
                                            0x00be6cb0
                                            0x00be6cb2
                                            0x00be6cb4
                                            0x00be6cb7
                                            0x00be6cb9
                                            0x00be6cbc
                                            0x00be6cbe
                                            0x00be6cc0
                                            0x00be6cc2
                                            0x00be6cc3
                                            0x00be6cc6
                                            0x00be6cc6
                                            0x00be6cc7
                                            0x00be6cc8
                                            0x00be6cc9
                                            0x00be6ccd
                                            0x00be6ccf
                                            0x00be6cd5
                                            0x00be6cd6
                                            0x00be6cd7
                                            0x00be6cda
                                            0x00be6cdc
                                            0x00be6cde
                                            0x00be6cde
                                            0x00be6cdf
                                            0x00be6ce2
                                            0x00be6ce3
                                            0x00be6ce4
                                            0x00be6ce5
                                            0x00be6ce9
                                            0x00be6ceb
                                            0x00be6cf1
                                            0x00be6cf2
                                            0x00be6cf3
                                            0x00be6cfd
                                            0x00be6d02

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.316381757.0000000000BE2000.00000002.00020000.sdmp, Offset: 00BE0000, based on PE: true
                                            • Associated: 00000000.00000002.316368536.0000000000BE0000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.316500996.0000000000CBE000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a0b3415f221864772d0500e5c608af8581f056f9e659dd717f687311b2dff78
                                            • Instruction ID: b41a2429e10a5e5e1db6391127a39ce4c48316104b4902ba499958877ba1d8f1
                                            • Opcode Fuzzy Hash: 9a0b3415f221864772d0500e5c608af8581f056f9e659dd717f687311b2dff78
                                            • Instruction Fuzzy Hash: F732336244E3D19FC7038B749CA56827FB0AF53204B5E89EBC0C1CF5A3D259599EC7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca33140838612c311f45ef266931e3950d6dd2ed347d5ac1ac55d1c4e296c249
                                            • Instruction ID: 294f209683112c059d958dba571d7b30e02fb2a7508a3f8e8ac2a9e1a1320dfb
                                            • Opcode Fuzzy Hash: ca33140838612c311f45ef266931e3950d6dd2ed347d5ac1ac55d1c4e296c249
                                            • Instruction Fuzzy Hash: F9D109B1E142598FCF04CFB8D4405AEFBF2BF89294F10856AD905B7394EB7499428BA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 41769a3288c34f77ab2ae7db8e8b4b4df4c71042fb3b42ce6802431db22a70eb
                                            • Instruction ID: bfaa8b0a4bf2b1bb5be240401c88f6ec0ac439a8a28650e3a24f06a212fc81b0
                                            • Opcode Fuzzy Hash: 41769a3288c34f77ab2ae7db8e8b4b4df4c71042fb3b42ce6802431db22a70eb
                                            • Instruction Fuzzy Hash: 03D1ECB1B002068FDB25DB75C414BAE7BF6AF88640F15893ED946DB290DF74E901CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e04689d3bb1b9c204888619fbf89b2fb3b98866f55b30b18dab0630370f80f11
                                            • Instruction ID: 2e72e81473e00d81a2f2f96222916dcb8e51191d4be40b7d45f4a5daba5914ab
                                            • Opcode Fuzzy Hash: e04689d3bb1b9c204888619fbf89b2fb3b98866f55b30b18dab0630370f80f11
                                            • Instruction Fuzzy Hash: 77E14FB4E142598FCB14DFA9C9806ADFBB2FF89344F24C259D818AB316DB709941CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0953582ac4994b3633da4df0fde9c59d74ad9dee4576aad78ff3b23cb2f09734
                                            • Instruction ID: e6b620d20b7bb736a01d4c9978a7cfb1c6ffc4c817c6357074b37079f6016784
                                            • Opcode Fuzzy Hash: 0953582ac4994b3633da4df0fde9c59d74ad9dee4576aad78ff3b23cb2f09734
                                            • Instruction Fuzzy Hash: CCE12DB4E042598FCB14DFA9C990AADFBB2FF89344F24C299D814AB356D7309941CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8730c7a31b5138315dacb2dd7b998f1bb44e3136247a49c993d37cdc5dc73f5e
                                            • Instruction ID: 9dc65c518596357b9c2fd9ef85b29d1328da4acb57c265b385665bbf478961e4
                                            • Opcode Fuzzy Hash: 8730c7a31b5138315dacb2dd7b998f1bb44e3136247a49c993d37cdc5dc73f5e
                                            • Instruction Fuzzy Hash: 8FD11CB4E142598FCB14DFA9C980AADFBB2FF89344F24C259D818A7316DB309941CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1a03ce658d501426de7c4d83161b5b4bd4d1222c9e074c280b79ef78376212f4
                                            • Instruction ID: 81c78c2006131fd66e7df2ec430fbf50b1fad5744a2070d86eeecaa7851d0bf9
                                            • Opcode Fuzzy Hash: 1a03ce658d501426de7c4d83161b5b4bd4d1222c9e074c280b79ef78376212f4
                                            • Instruction Fuzzy Hash: 6E81F0B4E14209CFCB44CFA9C5859AEFBF2FB89350F24855AD425BB220D370AA42CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 78c9704775d293cd6c36e89d04e3da9e63c9a7f8a3d31b31d865e078833d9959
                                            • Instruction ID: 225ac931286337c12157de2cd380239eb2c541050acea12597c01a556ee02d4f
                                            • Opcode Fuzzy Hash: 78c9704775d293cd6c36e89d04e3da9e63c9a7f8a3d31b31d865e078833d9959
                                            • Instruction Fuzzy Hash: 6E81F1B4E15209CFCB44CFA9C5859AEFBF2FF89350F24856AD415AB220D374AA42CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 19c38068da5d06b063c63d39fb0013a6b462961d71b62ecf3bb5ed93c96000d0
                                            • Instruction ID: dcc64e8474865e7a15c697ee2fc45bd4dc988554cd698ec45cf0965c1bc7bfae
                                            • Opcode Fuzzy Hash: 19c38068da5d06b063c63d39fb0013a6b462961d71b62ecf3bb5ed93c96000d0
                                            • Instruction Fuzzy Hash: F97112B0E14209DFDB04CFAAC5805DEFBF2FB89255F68942AD805BB224D7749A41CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 99cf62109569b64d9b83b8b5fe04bc003ce2ca648cc15ba4980b9ac0fb766c26
                                            • Instruction ID: f7d3d907918e84d81d4bb304e5f896ab826aa21b102ea2d2d00358c01d514718
                                            • Opcode Fuzzy Hash: 99cf62109569b64d9b83b8b5fe04bc003ce2ca648cc15ba4980b9ac0fb766c26
                                            • Instruction Fuzzy Hash: 1871F4B0E1420ACFCB44CFA9D5818AEFBB2FF89350F15851AD915AB314D770A992CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a1564b02f8b9139d1e52de4ac80b7be5969aa02adc6ec71509abfce2d4f02e7
                                            • Instruction ID: 3770c3b9cf3f3a99bd5110ed7e3b1599cbaeeb2ccfeef1e11de04a0954013c23
                                            • Opcode Fuzzy Hash: 9a1564b02f8b9139d1e52de4ac80b7be5969aa02adc6ec71509abfce2d4f02e7
                                            • Instruction Fuzzy Hash: E56123B0E14209DFDB04CFA9C5809DEFBF2FF89254F68952AD805B7224D7749A41CB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 47705f516f48c219e8bd89b0e520183133c0c17d18697f9277d8aa28551edc72
                                            • Instruction ID: f695daeaba8266f32ad2c5b9fc5419ece22254f11e30dec196d5052036264193
                                            • Opcode Fuzzy Hash: 47705f516f48c219e8bd89b0e520183133c0c17d18697f9277d8aa28551edc72
                                            • Instruction Fuzzy Hash: C26115B0E1420ACFCB44CFA9D5808AEFBB2FF89350F14845AD915A7311D770AA92CF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bdf0b23ab1f08cb0218c225467a138a57b4911ad3e8b56158f4b52688a8c8ddc
                                            • Instruction ID: 1d33ca13700922de8cc3532aeef8ef89113033e415ebad39c23675186deb65c1
                                            • Opcode Fuzzy Hash: bdf0b23ab1f08cb0218c225467a138a57b4911ad3e8b56158f4b52688a8c8ddc
                                            • Instruction Fuzzy Hash: 754149B0E0520ADFCB04CFA9C5815AEFBF2FF89350F24C56AC804AB254E7349A41CB95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f846acba7b7c4a1a15046f2984efaa1df5a266f7145db7988f9bc4c3bc212ae9
                                            • Instruction ID: 6260613a7a8a67e789a0e488282ab635ee8afdc4843e1cffc7c29680ec433cfd
                                            • Opcode Fuzzy Hash: f846acba7b7c4a1a15046f2984efaa1df5a266f7145db7988f9bc4c3bc212ae9
                                            • Instruction Fuzzy Hash: D24107B0E0520ADFCB04CFA9C5816AEFBF2EF89250F24D56AC815A7214E3749A418F95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2ca4af506cd7c34cb04513f8bde360e57721a3f9da6aca8a13df9906222eaaf9
                                            • Instruction ID: ca638487eb03d0c077ff2032ad945648bfb6144eeb673920c3a10e700f08a673
                                            • Opcode Fuzzy Hash: 2ca4af506cd7c34cb04513f8bde360e57721a3f9da6aca8a13df9906222eaaf9
                                            • Instruction Fuzzy Hash: 38411A70E152199FCB58CFAAD88169EFBF3FF89240F10C5AAE808A7315D7709A418F51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.331856909.0000000007750000.00000040.00000001.sdmp, Offset: 07750000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ebc4a24b019bd1ab3b7d717a5e1a54ef6ca6ceabc9ddc0d032f64861a7bd3d8e
                                            • Instruction ID: f5a6ebe4f5517626beb2a2ce4226e33c3410269baaea40deec0b0985776045ec
                                            • Opcode Fuzzy Hash: ebc4a24b019bd1ab3b7d717a5e1a54ef6ca6ceabc9ddc0d032f64861a7bd3d8e
                                            • Instruction Fuzzy Hash: ED414DB0E156199FCB58CF6AD88169EFBF3BF89200F14C5AAD808A7325D7709A41CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Executed Functions

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 012C69A0
                                            • GetCurrentThread.KERNEL32 ref: 012C69DD
                                            • GetCurrentProcess.KERNEL32 ref: 012C6A1A
                                            • GetCurrentThreadId.KERNEL32 ref: 012C6A73
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.500499770.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID: $l
                                            • API String ID: 2063062207-3651023222
                                            • Opcode ID: 6c611508874f4f1395987a1f446b6cd537281d4d163bf239173c8e474a592f70
                                            • Instruction ID: 69d9320fc4a5780ac51ec9bf924673e63c9f97979614037d02d23310dd400fdf
                                            • Opcode Fuzzy Hash: 6c611508874f4f1395987a1f446b6cd537281d4d163bf239173c8e474a592f70
                                            • Instruction Fuzzy Hash: 065164B09047898FDB10CFA9D548BDEBFF0AF88314F24845AE548A7350DB745884CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 012C69A0
                                            • GetCurrentThread.KERNEL32 ref: 012C69DD
                                            • GetCurrentProcess.KERNEL32 ref: 012C6A1A
                                            • GetCurrentThreadId.KERNEL32 ref: 012C6A73
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.500499770.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-3162483948
                                            • Opcode ID: 4d885be2dc03c53a3bf382356db882dd185951c4e5433eab2ae68dcda926da1c
                                            • Instruction ID: d38c0a4a736cdd6342615ddf8359b2edd5c099cd5ec80fad991d3de504097f99
                                            • Opcode Fuzzy Hash: 4d885be2dc03c53a3bf382356db882dd185951c4e5433eab2ae68dcda926da1c
                                            • Instruction Fuzzy Hash: AD5152B09106498FDB14CFAAD648BDEBBF0BF88314F24855DE509A7350CB74A884CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012C51A2
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.500499770.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 3fd3020882fd82fde492f904381886d3e7fc3f66ce93930e24e672fda7252313
                                            • Instruction ID: 26fd03efc38e5355c47d38876c62d21b255c9e6d3df2ddd5d65dcd7098f6f535
                                            • Opcode Fuzzy Hash: 3fd3020882fd82fde492f904381886d3e7fc3f66ce93930e24e672fda7252313
                                            • Instruction Fuzzy Hash: BA51D3B1D103499FDF14CF99C884ADEBBB5BF88314F64822EE915AB214D7B4A845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012C51A2
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.500499770.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 51a283fefe888dd5e638a1e6366774a6c155dea665ab94bfa0088868cf316ed5
                                            • Instruction ID: 8505a7c321809893811c27bd097756d9a876af2941b5cf77c8aa6146d628a9bc
                                            • Opcode Fuzzy Hash: 51a283fefe888dd5e638a1e6366774a6c155dea665ab94bfa0088868cf316ed5
                                            • Instruction Fuzzy Hash: 6B41D3B1D103499FDF14CF99C884ADEBBB5BF88314F24822EE915AB210D7B4A845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 012C7F01
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.500499770.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 8c77a97a5bcf0a28df7508ce981cfb092e769a8490c235751245dc098f033ada
                                            • Instruction ID: 044ca4281969f178b3dfac37cf2efcf1a3ad346c4ac319cb76f4687909b7c3d7
                                            • Opcode Fuzzy Hash: 8c77a97a5bcf0a28df7508ce981cfb092e769a8490c235751245dc098f033ada
                                            • Instruction Fuzzy Hash: 2F411AB5A103058FDB14CF99C488AAEBBF5FB88714F24C55DE619A7321D774A841CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 012CC212
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.500499770.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: 5760115f0d40c6cfc78b802380821a4cd39fbde54ba5871e679862716fa5b72f
                                            • Instruction ID: 13873508cc6952dc4dcd3a6516a432b6362dc28007e4435ad83edee9b60c2a3e
                                            • Opcode Fuzzy Hash: 5760115f0d40c6cfc78b802380821a4cd39fbde54ba5871e679862716fa5b72f
                                            • Instruction Fuzzy Hash: 4731FFB48153858FDB10DFA9EA0879E7FF4FB45718F148059E548A7302CBB95849CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012C6BEF
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.500499770.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: ccbc997f06637353ab9472611fdacfc8bb94653bd550115466fd6191a88b4c58
                                            • Instruction ID: 09bb59ada9b359a48637834e92ce9e079a983db61936e2e15067ed31bbf4aa94
                                            • Opcode Fuzzy Hash: ccbc997f06637353ab9472611fdacfc8bb94653bd550115466fd6191a88b4c58
                                            • Instruction Fuzzy Hash: DD21E3B59002489FDB10CF99D984ADEBBF8FB48320F14841AE914A3310D374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012C6BEF
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.500499770.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 3cfdc01065df58e8505330a114d2ce79a0874811b5b3e6b40e3178cf01aaa77a
                                            • Instruction ID: c2f319ca593284c0e134e719e81d631e9d99f092a26f335d45769e0ccf446542
                                            • Opcode Fuzzy Hash: 3cfdc01065df58e8505330a114d2ce79a0874811b5b3e6b40e3178cf01aaa77a
                                            • Instruction Fuzzy Hash: 9F21C2B59002499FDB10CFAAD984ADEBBF8FB48324F14841AE918B3310D374A954CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 012CC212
                                            Memory Dump Source
                                            • Source File: 0000000F.00000002.500499770.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: false
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: 3bb30b4c0f7ff3395a03a3f095cb92671d8d56afa843c6186c684ee2c4f32d57
                                            • Instruction ID: 2fbb12b6252543a8559101b2299dbd87ef4ea3d28b5e3466c3fb10ba992e38d4
                                            • Opcode Fuzzy Hash: 3bb30b4c0f7ff3395a03a3f095cb92671d8d56afa843c6186c684ee2c4f32d57
                                            • Instruction Fuzzy Hash: 0D119DB59113458FDB10DFA9D90879EBBF4FB48714F10852DD508E3601C7B86945CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions