Loading ...

Play interactive tourEdit tour

Windows Analysis Report DOC.exe

Overview

General Information

Sample Name:DOC.exe
Analysis ID:458964
MD5:55be7e1a6d40eb553a9053af040f0a1c
SHA1:25bd6cb389c1e6512f4d8165bf3c3fa7c766ab89
SHA256:26ee0a35bca584b44bdcc03b68a35407265bc3e696beab9f2253e41529a547c0
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • DOC.exe (PID: 4940 cmdline: 'C:\Users\user\Desktop\DOC.exe' MD5: 55BE7E1A6D40EB553A9053AF040F0A1C)
    • schtasks.exe (PID: 6004 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\phDOuwVbtcmb' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD9F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5936 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 5984 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • tKZVPq.exe (PID: 5524 cmdline: 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • tKZVPq.exe (PID: 5052 cmdline: 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "sales@moderntelco.com", "Password": "Sales@123$%", "Host": "mail.moderntelco.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.495444302.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000012.00000002.495444302.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.335493379.0000000003701000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.335493379.0000000003701000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.334373225.0000000003509000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              18.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.DOC.exe.3618bc0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.DOC.exe.3618bc0.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.DOC.exe.3618bc0.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 18.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sales@moderntelco.com", "Password": "Sales@123$%", "Host": "mail.moderntelco.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\phDOuwVbtcmb.exeMetadefender: Detection: 37%Perma Link
                      Source: C:\Users\user\AppData\Roaming\phDOuwVbtcmb.exeReversingLabs: Detection: 75%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DOC.exeVirustotal: Detection: 41%Perma Link
                      Source: DOC.exeMetadefender: Detection: 37%Perma Link
                      Source: DOC.exeReversingLabs: Detection: 75%
                      Source: 18.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: DOC.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DOC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000012.00000002.505509412.0000000006310000.00000004.00000001.sdmp, tKZVPq.exe, 00000015.00000002.394169982.0000000000542000.00000002.00020000.sdmp, tKZVPq.exe, 00000017.00000002.411018053.0000000000DA2000.00000002.00020000.sdmp, tKZVPq.exe.18.dr
                      Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: tKZVPq.exe, 00000017.00000002.411790030.0000000003140000.00000002.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb source: tKZVPq.exe, tKZVPq.exe.18.dr
                      Source: RegSvcs.exe, 00000012.00000002.501619417.00000000030C1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000012.00000002.501619417.00000000030C1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000012.00000002.501619417.00000000030C1000.00000004.00000001.sdmpString found in binary or memory: http://eekQoy.com
                      Source: DOC.exe, 00000000.00000003.228495149.0000000005356000.00000004.00000001.sdmpString found in binary or memory: http://en.w3
                      Source: DOC.exe, 00000000.00000003.227737832.0000000005373000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: DOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: DOC.exe, 00000000.00000003.230481938.0000000005357000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.230437749.0000000005357000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: DOC.exe, 00000000.00000003.234800983.000000000535D000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.241128007.0000000005357000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmp, DOC.exe, 00000000.00000003.239998400.0000000005357000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: DOC.exe, 00000000.00000003.234800983.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: DOC.exe, 00000000.00000003.239998400.0000000005357000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersE
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: DOC.exe, 00000000.00000003.235357501.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFG
                      Source: DOC.exe, 00000000.00000003.235357501.000000000535E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTFF
                      Source: DOC.exe, 00000000.00000003.241128007.0000000005357000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: DOC.exe, 00000000.00000003.234800983.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: DOC.exe, 00000000.00000003.234800983.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: DOC.exe, 00000000.00000003.234800983.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd9
                      Source: DOC.exe, 00000000.00000003.239998400.0000000005357000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                      Source: DOC.exe, 00000000.00000003.241128007.0000000005357000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldva
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: DOC.exe, 00000000.00000003.229846953.0000000005357000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: DOC.exe, 00000000.00000003.230069580.0000000005357000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn(
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: DOC.exe, 00000000.00000003.229974702.0000000005358000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn6
                      Source: DOC.exe, 00000000.00000003.230069580.0000000005357000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnT
                      Source: DOC.exe, 00000000.00000003.229974702.0000000005358000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
                      Source: DOC.exe, 00000000.00000003.230069580.0000000005357000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-f
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: DOC.exe, 00000000.00000003.232071037.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: DOC.exe, 00000000.00000003.231117740.000000000535B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//typ
                      Source: DOC.exe, 00000000.00000003.232071037.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/://w
                      Source: DOC.exe, 00000000.00000003.231117740.000000000535B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
                      Source: DOC.exe, 00000000.00000003.232071037.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
                      Source: DOC.exe, 00000000.00000003.232071037.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
                      Source: DOC.exe, 00000000.00000003.231117740.000000000535B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/http
                      Source: DOC.exe, 00000000.00000003.232071037.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: DOC.exe, 00000000.00000003.232071037.000000000535D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                      Source: DOC.exe, 00000000.00000003.228505911.000000000536B000.00000004.00000001.sdmp, DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: DOC.exe, 00000000.00000003.228505911.000000000536B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com2
                      Source: DOC.exe, 00000000.00000003.228505911.000000000536B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com6
                      Source: DOC.exe, 00000000.00000003.228505911.000000000536B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
                      Source: DOC.exe, 00000000.00000003.228505911.000000000536B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: DOC.exe, 00000000.00000002.334373225.0000000003509000.00000004.00000001.sdmp, RegSvcs.exe, 00000012.00000002.495444302.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000012.00000002.501619417.00000000030C1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 18.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b321C6AE2u002d0DFAu002d4C62u002d8B2Bu002dF4D8729089FCu007d/u0036C3305DDu002d4CD3u002d4D64u002d8C6Du002dBEE185064AF2.csLarge array initialization: .cctor: array initializer size 11935
                      .NET source code contains very large stringsShow sources
                      Source: DOC.exe, NodeGraphControl/NodeGraphNode.csLong String: Length: 24686
                      Source: phDOuwVbtcmb.exe.0.dr, NodeGraphControl/NodeGraphNode.csLong String: Length: 24686
                      Source: 0.2.DOC.exe.80000.0.unpack, NodeGraphControl/NodeGraphNode.csLong String: Length: 24686
                      Source: 0.0.DOC.exe.80000.0.unpack, NodeGraphControl/NodeGraphNode.csLong String: Length: 24686
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_00C7C1240_2_00C7C124
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_00C7E5600_2_00C7E560
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_00C7E5700_2_00C7E570
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0695B5600_2_0695B560
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_06951F500_2_06951F50
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_06958DAC0_2_06958DAC
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_06955DA80_2_06955DA8
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_06956D280_2_06956D28
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_06956AB00_2_06956AB0
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069526230_2_06952623
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069526280_2_06952628
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069567700_2_06956770
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069567630_2_06956763
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069542500_2_06954250
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069542400_2_06954240
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069500060_2_06950006
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069501D80_2_069501D8
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069501C90_2_069501C9
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069561000_2_06956100
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_06958F8E0_2_06958F8E
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_06956FA90_2_06956FA9
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_06956FC50_2_06956FC5
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_06951F480_2_06951F48
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_06956F750_2_06956F75
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_06956D1B0_2_06956D1B
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_06956AA00_2_06956AA0
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0695481D0_2_0695481D
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0695480C0_2_0695480C
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0695480E0_2_0695480E
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069548400_2_06954840
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069529380_2_06952938
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069529480_2_06952948
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_015347A018_2_015347A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01533CCC18_2_01533CCC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0153477218_2_01534772
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0153473018_2_01534730
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0153479018_2_01534790
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0153549218_2_01535492
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0153D67018_2_0153D670
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                      Source: DOC.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: phDOuwVbtcmb.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: DOC.exe, 00000000.00000002.342664664.0000000006BD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs DOC.exe
                      Source: DOC.exe, 00000000.00000002.342528439.0000000006A10000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DOC.exe
                      Source: DOC.exe, 00000000.00000002.342528439.0000000006A10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DOC.exe
                      Source: DOC.exe, 00000000.00000002.343351436.0000000008170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DOC.exe
                      Source: DOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametzksTKyIImIJpsIEpUQxqlbWyMltJBVYYV.exe4 vs DOC.exe
                      Source: DOC.exe, 00000000.00000002.330568706.0000000000127000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKwXiWWI.exe& vs DOC.exe
                      Source: DOC.exe, 00000000.00000002.342376324.00000000069B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DOC.exe
                      Source: DOC.exe, 00000000.00000002.333152640.00000000027DA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs DOC.exe
                      Source: DOC.exeBinary or memory string: OriginalFilenameKwXiWWI.exe& vs DOC.exe
                      Source: DOC.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DOC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: phDOuwVbtcmb.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 18.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 18.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@12/8@0/0
                      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Roaming\phDOuwVbtcmb.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_01
                      Source: C:\Users\user\Desktop\DOC.exeMutant created: \Sessions\1\BaseNamedObjects\FjpEJe
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_01
                      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Local\Temp\tmpFD9F.tmpJump to behavior
                      Source: DOC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DOC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: DOC.exeVirustotal: Detection: 41%
                      Source: DOC.exeMetadefender: Detection: 37%
                      Source: DOC.exeReversingLabs: Detection: 75%
                      Source: C:\Users\user\Desktop\DOC.exeFile read: C:\Users\user\Desktop\DOC.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DOC.exe 'C:\Users\user\Desktop\DOC.exe'
                      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\phDOuwVbtcmb' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD9F.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe'
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe'
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\phDOuwVbtcmb' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD9F.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\DOC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: DOC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DOC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000012.00000002.505509412.0000000006310000.00000004.00000001.sdmp, tKZVPq.exe, 00000015.00000002.394169982.0000000000542000.00000002.00020000.sdmp, tKZVPq.exe, 00000017.00000002.411018053.0000000000DA2000.00000002.00020000.sdmp, tKZVPq.exe.18.dr
                      Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: tKZVPq.exe, 00000017.00000002.411790030.0000000003140000.00000002.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb source: tKZVPq.exe, tKZVPq.exe.18.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: DOC.exe, NodeGraphControl/frmGiris.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: phDOuwVbtcmb.exe.0.dr, NodeGraphControl/frmGiris.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.DOC.exe.80000.0.unpack, NodeGraphControl/frmGiris.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.DOC.exe.80000.0.unpack, NodeGraphControl/frmGiris.cs.Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0695048E push FFFFFF87h; iretd 0_2_06950493
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_069580E0 push es; retn 9572h0_2_06958168
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0695817E push es; iretd 0_2_06958180
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0695481D push es; iretd 0_2_0695481C
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0695480E push es; iretd 0_2_0695481C
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0695584F push es; retf 0_2_06955870
                      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_06955871 push es; retf 0_2_06955890
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.25993057149
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.25993057149
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJump to dropped file
                      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Roaming\phDOuwVbtcmb.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\phDOuwVbtcmb' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD9F.tmp'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tKZVPqJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tKZVPqJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: DOC.exe PID: 4940, type: MEMORYSTR
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: DOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: DOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1898Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7940Jump to behavior
                      Source: C:\Users\user\Desktop\DOC.exe TID: 4512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 4776Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 4968Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: DOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: RegSvcs.exe, 00000012.00000002.505100434.0000000006220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: DOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: DOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: DOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: DOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: DOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: RegSvcs.exe, 00000012.00000002.505100434.0000000006220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: RegSvcs.exe, 00000012.00000002.505100434.0000000006220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: DOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: DOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: DOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: RegSvcs.exe, 00000012.00000002.505100434.0000000006220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\DOC.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\DOC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\DOC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000Jump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000Jump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11BF008Jump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\phDOuwVbtcmb' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD9F.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                      Source: RegSvcs.exe, 00000012.00000002.501548688.0000000001BB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000012.00000002.501548688.0000000001BB0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000012.00000002.501548688.0000000001BB0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                      Source: RegSvcs.exe, 00000012.00000002.501548688.0000000001BB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: RegSvcs.exe, 00000012.00000002.501548688.0000000001BB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Users\user\Desktop\DOC.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 18.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DOC.exe.3618bc0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DOC.exe.3618bc0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.495444302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.335493379.0000000003701000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.334373225.0000000003509000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 18.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DOC.exe.3618bc0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DOC.exe.3618bc0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.495444302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.335493379.0000000003701000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.334373225.0000000003509000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.501619417.00000000030C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOC.exe PID: 4940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5984, type: MEMORYSTR
                      Source: Yara matchFile source: 00000012.00000002.501619417.00000000030C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5984, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 18.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DOC.exe.3618bc0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DOC.exe.3618bc0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.495444302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.335493379.0000000003701000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.334373225.0000000003509000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 18.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DOC.exe.3618bc0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DOC.exe.3618bc0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.495444302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.335493379.0000000003701000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.334373225.0000000003509000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.501619417.00000000030C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOC.exe PID: 4940, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5984, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection212Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1File and Directory Permissions Modification1LSASS MemorySecurity Software Discovery311Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion131NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection212LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncSystem Information Discovery113Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing13/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 458964 Sample: DOC.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 7 other signatures 2->53 7 DOC.exe 6 2->7         started        11 tKZVPq.exe 2 2->11         started        13 tKZVPq.exe 1 2->13         started        process3 file4 29 C:\Users\user\AppData\...\phDOuwVbtcmb.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmpFD9F.tmp, XML 7->31 dropped 33 C:\Users\user\AppData\Local\...\DOC.exe.log, ASCII 7->33 dropped 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Writes to foreign memory regions 7->57 59 Injects a PE file into a foreign processes 7->59 15 RegSvcs.exe 2 4 7->15         started        19 RegSvcs.exe 7->19         started        21 schtasks.exe 1 7->21         started        23 conhost.exe 11->23         started        25 conhost.exe 13->25         started        signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\...\tKZVPq.exe, PE32 15->35 dropped 37 C:\Windows\System32\drivers\etc\hosts, ASCII 15->37 dropped 39 Modifies the hosts file 15->39 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->41 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->43 45 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->45 27 conhost.exe 21->27         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DOC.exe41%VirustotalBrowse
                      DOC.exe40%MetadefenderBrowse
                      DOC.exe75%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\phDOuwVbtcmb.exe40%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\phDOuwVbtcmb.exe75%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      18.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.jiyu-kobo.co.jp/://w0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.sajatypeworks.comiv0%URL Reputationsafe
                      http://www.sajatypeworks.com20%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://eekQoy.com0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com60%Avira URL Cloudsafe
                      http://www.fontbureau.comd90%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnT0%Avira URL Cloudsafe
                      http://www.fontbureau.comFG0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/~0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp//typ0%Avira URL Cloudsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comldva0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.fontbureau.comTTFF0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnr-f0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnd0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
                      http://www.sajatypeworks.comt0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
                      http://en.wikipedia0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.fontbureau.comd0%URL Reputationsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn60%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/http0%Avira URL Cloudsafe
                      http://en.w30%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.fontbureau.comalic0%URL Reputationsafe
                      http://www.founder.com.cn/cn(0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.jiyu-kobo.co.jp/://wDOC.exe, 00000000.00000003.232071037.000000000535D000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000012.00000002.501619417.00000000030C1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.fontbureau.com/designersGDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                        high
                        http://www.sajatypeworks.comivDOC.exe, 00000000.00000003.228505911.000000000536B000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.sajatypeworks.com2DOC.exe, 00000000.00000003.228505911.000000000536B000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/?DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/bTheDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://eekQoy.comRegSvcs.exe, 00000012.00000002.501619417.00000000030C1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.sajatypeworks.com6DOC.exe, 00000000.00000003.228505911.000000000536B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.com/designers?DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                            high
                            http://www.fontbureau.com/designersEDOC.exe, 00000000.00000003.239998400.0000000005357000.00000004.00000001.sdmpfalse
                              high
                              http://www.fontbureau.comd9DOC.exe, 00000000.00000003.234800983.000000000535D000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.founder.com.cn/cnTDOC.exe, 00000000.00000003.230069580.0000000005357000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.comFGDOC.exe, 00000000.00000003.235357501.000000000535E000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.tiro.comDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designersDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmp, DOC.exe, 00000000.00000003.239998400.0000000005357000.00000004.00000001.sdmpfalse
                                high
                                http://www.goodfont.co.krDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.jiyu-kobo.co.jp/~DOC.exe, 00000000.00000003.232071037.000000000535D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.sajatypeworks.comDOC.exe, 00000000.00000003.228505911.000000000536B000.00000004.00000001.sdmp, DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.typography.netDDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cn/cTheDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.galapagosdesign.com/staff/dennis.htmDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.jiyu-kobo.co.jp//typDOC.exe, 00000000.00000003.231117740.000000000535B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://fontfabrik.comDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.comldvaDOC.exe, 00000000.00000003.241128007.0000000005357000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.galapagosdesign.com/DPleaseDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fonts.comDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.sandoll.co.krDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.urwpp.deDPleaseDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.zhongyicts.com.cnDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDOC.exe, 00000000.00000002.332280208.0000000002501000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.sakkal.comDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDOC.exe, 00000000.00000002.334373225.0000000003509000.00000004.00000001.sdmp, RegSvcs.exe, 00000012.00000002.495444302.0000000000402000.00000040.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.comTTFFDOC.exe, 00000000.00000003.235357501.000000000535E000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.founder.com.cn/cnr-fDOC.exe, 00000000.00000003.230069580.0000000005357000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.founder.com.cn/cndDOC.exe, 00000000.00000003.229974702.0000000005358000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/ZDOC.exe, 00000000.00000003.232071037.000000000535D000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.apache.org/licenses/LICENSE-2.0DOC.exe, 00000000.00000003.230481938.0000000005357000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.230437749.0000000005357000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.fontbureau.comDOC.exe, 00000000.00000003.234800983.000000000535D000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.241128007.0000000005357000.00000004.00000001.sdmpfalse
                                        high
                                        http://DynDns.comDynDNSRegSvcs.exe, 00000012.00000002.501619417.00000000030C1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.jiyu-kobo.co.jp/UDOC.exe, 00000000.00000003.232071037.000000000535D000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.sajatypeworks.comtDOC.exe, 00000000.00000003.228505911.000000000536B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000012.00000002.501619417.00000000030C1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.jiyu-kobo.co.jp/GDOC.exe, 00000000.00000003.231117740.000000000535B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://en.wikipediaDOC.exe, 00000000.00000003.227737832.0000000005373000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.jiyu-kobo.co.jp/jp/DOC.exe, 00000000.00000003.232071037.000000000535D000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.comaDOC.exe, 00000000.00000003.241128007.0000000005357000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.comdDOC.exe, 00000000.00000003.234800983.000000000535D000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.come.comDOC.exe, 00000000.00000003.239998400.0000000005357000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.carterandcone.comlDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                          high
                                          http://www.founder.com.cn/cnDOC.exe, 00000000.00000003.229846953.0000000005357000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlDOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                            high
                                            http://www.fontbureau.com/designers/cabarga.htmlDOC.exe, 00000000.00000003.234800983.000000000535D000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.founder.com.cn/cn6DOC.exe, 00000000.00000003.229974702.0000000005358000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.jiyu-kobo.co.jp/httpDOC.exe, 00000000.00000003.231117740.000000000535B000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://en.w3DOC.exe, 00000000.00000003.228495149.0000000005356000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.jiyu-kobo.co.jp/DOC.exe, 00000000.00000003.232071037.000000000535D000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://www.fontbureau.com/designers8DOC.exe, 00000000.00000002.339090800.0000000005440000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.comalicDOC.exe, 00000000.00000003.234800983.000000000535D000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.founder.com.cn/cn(DOC.exe, 00000000.00000003.230069580.0000000005357000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown

                                                Contacted IPs

                                                No contacted IP infos

                                                General Information

                                                Joe Sandbox Version:33.0.0 White Diamond
                                                Analysis ID:458964
                                                Start date:03.08.2021
                                                Start time:23:13:13
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 8m 51s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:DOC.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:30
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.adwa.evad.winEXE@12/8@0/0
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 0.4% (good quality ratio 0.4%)
                                                • Quality average: 100%
                                                • Quality standard deviation: 0%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 69
                                                • Number of non-executed functions: 19
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                23:15:00API Interceptor498x Sleep call for process: RegSvcs.exe modified
                                                23:15:11AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run tKZVPq C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                                23:15:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run tKZVPq C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASN

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exePI A19T010620.exeGet hashmaliciousBrowse
                                                  Swift Copy.exeGet hashmaliciousBrowse
                                                    SOA.exeGet hashmaliciousBrowse
                                                      POSH service quotation.exeGet hashmaliciousBrowse
                                                        SOA.exeGet hashmaliciousBrowse
                                                          epda.exeGet hashmaliciousBrowse
                                                            POSH service quotation..exeGet hashmaliciousBrowse
                                                              SWIFT REF GO 20210730SFT21020137.exeGet hashmaliciousBrowse
                                                                HJKcEjrUuzYMV9X.exeGet hashmaliciousBrowse
                                                                  est pda.exeGet hashmaliciousBrowse
                                                                    BL COPY.exeGet hashmaliciousBrowse
                                                                      DOC.exeGet hashmaliciousBrowse
                                                                        statement.exeGet hashmaliciousBrowse
                                                                          PO-K-128 IAN 340854.exeGet hashmaliciousBrowse
                                                                            PO#4500484210.exeGet hashmaliciousBrowse
                                                                              Invoice no SS21-22185.exeGet hashmaliciousBrowse
                                                                                SQycD6hL4Y.exeGet hashmaliciousBrowse
                                                                                  Aggiornamento ordine Quantit#U00e0__BFM Srl 117-28050-01.exeGet hashmaliciousBrowse
                                                                                    PAYMENT INSTRUCTIONS COPY.exeGet hashmaliciousBrowse
                                                                                      FINAL SHIPPING DOC..exeGet hashmaliciousBrowse

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DOC.exe.log
                                                                                        Process:C:\Users\user\Desktop\DOC.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1216
                                                                                        Entropy (8bit):5.355304211458859
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                        Malicious:true
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tKZVPq.exe.log
                                                                                        Process:C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):142
                                                                                        Entropy (8bit):5.090621108356562
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                        MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                        SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                        SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                        SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                        C:\Users\user\AppData\Local\Temp\tmpFD9F.tmp
                                                                                        Process:C:\Users\user\Desktop\DOC.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1649
                                                                                        Entropy (8bit):5.173181994114527
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBZqtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3c
                                                                                        MD5:46FF7029D50E7EA20AE3AF5D8262D40B
                                                                                        SHA1:03533697D13396465EAE64F54B91E4A298888B79
                                                                                        SHA-256:C7273868F90F42DD427128D64913D673E6041B413BD08BD2F81766335BF790EB
                                                                                        SHA-512:CB8E523C80B9E664D553D799C94AEC6BE3484CE0ADB446AD56B08055B8498EF40A420A75951E0406D88F58FFE83439469C2E6B6A10F0AF7FCCB7628296126F93
                                                                                        Malicious:true
                                                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                                                                        C:\Users\user\AppData\Roaming\phDOuwVbtcmb.exe
                                                                                        Process:C:\Users\user\Desktop\DOC.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):827392
                                                                                        Entropy (8bit):6.923955794807188
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:kTfMMFw2iNv4sgMMAd2hFbRaWtI/LO6S9Yqj:0jFw1ushLEhFbMWC/Zx
                                                                                        MD5:55BE7E1A6D40EB553A9053AF040F0A1C
                                                                                        SHA1:25BD6CB389C1E6512F4D8165BF3C3FA7C766AB89
                                                                                        SHA-256:26EE0A35BCA584B44BDCC03B68A35407265BC3E696BEAB9F2253E41529A547C0
                                                                                        SHA-512:98F008AE51A45DADEFBC3D0F577CC384F14DE4EBBFFFB61A5222A82657FA75A5F875FA7D53850D79B300E0F40805BC26117D1C26817D776871BCB4852627FFFA
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Metadefender, Detection: 40%, Browse
                                                                                        • Antivirus: ReversingLabs, Detection: 75%
                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]..a..............0..d...:.......... ........@.. ....................................@.................................p...O........7........................................................................... ............... ..H............text....b... ...d.................. ..`.rsrc....7.......8...f..............@..@.reloc..............................@..B........................H.......@...pd......:........f...........................................0...........r...p.+..*".(.....*.0..x.........}.....(.......(......r...po......{....r...po......{....r...po......{....r...po......{....r...po......{....r...po.....*..*..0..+.........,..{.......+....,...{....o........(.....*..0..$.............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s ...}.....s!...}.....s"...}.....s#...}.....s#...}.....s#...}.....s#...}.....s#...}.....s#...}.....
                                                                                        C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):45152
                                                                                        Entropy (8bit):6.149629800481177
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                        MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                        SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                        SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                        SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: PI A19T010620.exe, Detection: malicious, Browse
                                                                                        • Filename: Swift Copy.exe, Detection: malicious, Browse
                                                                                        • Filename: SOA.exe, Detection: malicious, Browse
                                                                                        • Filename: POSH service quotation.exe, Detection: malicious, Browse
                                                                                        • Filename: SOA.exe, Detection: malicious, Browse
                                                                                        • Filename: epda.exe, Detection: malicious, Browse
                                                                                        • Filename: POSH service quotation..exe, Detection: malicious, Browse
                                                                                        • Filename: SWIFT REF GO 20210730SFT21020137.exe, Detection: malicious, Browse
                                                                                        • Filename: HJKcEjrUuzYMV9X.exe, Detection: malicious, Browse
                                                                                        • Filename: est pda.exe, Detection: malicious, Browse
                                                                                        • Filename: BL COPY.exe, Detection: malicious, Browse
                                                                                        • Filename: DOC.exe, Detection: malicious, Browse
                                                                                        • Filename: statement.exe, Detection: malicious, Browse
                                                                                        • Filename: PO-K-128 IAN 340854.exe, Detection: malicious, Browse
                                                                                        • Filename: PO#4500484210.exe, Detection: malicious, Browse
                                                                                        • Filename: Invoice no SS21-22185.exe, Detection: malicious, Browse
                                                                                        • Filename: SQycD6hL4Y.exe, Detection: malicious, Browse
                                                                                        • Filename: Aggiornamento ordine Quantit#U00e0__BFM Srl 117-28050-01.exe, Detection: malicious, Browse
                                                                                        • Filename: PAYMENT INSTRUCTIONS COPY.exe, Detection: malicious, Browse
                                                                                        • Filename: FINAL SHIPPING DOC..exe, Detection: malicious, Browse
                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                                        C:\Windows\System32\drivers\etc\hosts
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):11
                                                                                        Entropy (8bit):2.663532754804255
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:iLE:iLE
                                                                                        MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                                        SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                                        SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                                        SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                                        Malicious:true
                                                                                        Preview: ..127.0.0.1
                                                                                        \Device\ConDrv
                                                                                        Process:C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1141
                                                                                        Entropy (8bit):4.44831826838854
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                        MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                        SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                        SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                        SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                        Malicious:false
                                                                                        Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):6.923955794807188
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                        File name:DOC.exe
                                                                                        File size:827392
                                                                                        MD5:55be7e1a6d40eb553a9053af040f0a1c
                                                                                        SHA1:25bd6cb389c1e6512f4d8165bf3c3fa7c766ab89
                                                                                        SHA256:26ee0a35bca584b44bdcc03b68a35407265bc3e696beab9f2253e41529a547c0
                                                                                        SHA512:98f008ae51a45dadefbc3d0f577cc384f14de4ebbfffb61a5222a82657fa75a5f875fa7d53850d79b300e0f40805bc26117d1c26817d776871bcb4852627fffa
                                                                                        SSDEEP:12288:kTfMMFw2iNv4sgMMAd2hFbRaWtI/LO6S9Yqj:0jFw1ushLEhFbMWC/Zx
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]..a..............0..d...:........... ........@.. ....................................@................................

                                                                                        File Icon

                                                                                        Icon Hash:18bc8cc4c6c2e120

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x4982c2
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                        Time Stamp:0x6100D35D [Wed Jul 28 03:47:41 2021 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x982700x4f.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000x337fc.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000x962c80x96400False0.70904937084data7.25993057149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x9a0000x337fc0x33800False0.509865177488data5.58948919804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0xce0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountry
                                                                                        RT_ICON0x9a2b00xb830PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                        RT_ICON0xa5ae00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                        RT_ICON0xb63080x94a8data
                                                                                        RT_ICON0xbf7b00x5488data
                                                                                        RT_ICON0xc4c380x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                                        RT_ICON0xc8e600x25a8data
                                                                                        RT_ICON0xcb4080x10a8data
                                                                                        RT_ICON0xcc4b00x988data
                                                                                        RT_ICON0xcce380x468GLS_BINARY_LSB_FIRST
                                                                                        RT_GROUP_ICON0xcd2a00x84data
                                                                                        RT_VERSION0xcd3240x2ecdata
                                                                                        RT_MANIFEST0xcd6100x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Version Infos

                                                                                        DescriptionData
                                                                                        Translation0x0000 0x04b0
                                                                                        LegalCopyrightxlc
                                                                                        Assembly Version4.1.2.6
                                                                                        InternalNameKwXiWWI.exe
                                                                                        FileVersion6.2.1.4
                                                                                        CompanyNamemin
                                                                                        LegalTrademarksrt
                                                                                        Commentstrt
                                                                                        ProductNamefy
                                                                                        ProductVersion6.2.1.4
                                                                                        FileDescriptionth
                                                                                        OriginalFilenameKwXiWWI.exe

                                                                                        Network Behavior

                                                                                        No network behavior found

                                                                                        Code Manipulations

                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Start time:23:14:01
                                                                                        Start date:03/08/2021
                                                                                        Path:C:\Users\user\Desktop\DOC.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\Desktop\DOC.exe'
                                                                                        Imagebase:0x80000
                                                                                        File size:827392 bytes
                                                                                        MD5 hash:55BE7E1A6D40EB553A9053AF040F0A1C
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.335493379.0000000003701000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.335493379.0000000003701000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.334373225.0000000003509000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.334373225.0000000003509000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        Reputation:low

                                                                                        General

                                                                                        Start time:23:14:48
                                                                                        Start date:03/08/2021
                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\phDOuwVbtcmb' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD9F.tmp'
                                                                                        Imagebase:0x1330000
                                                                                        File size:185856 bytes
                                                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        General

                                                                                        Start time:23:14:49
                                                                                        Start date:03/08/2021
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                        File size:625664 bytes
                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        General

                                                                                        Start time:23:14:50
                                                                                        Start date:03/08/2021
                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:{path}
                                                                                        Imagebase:0x160000
                                                                                        File size:45152 bytes
                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        General

                                                                                        Start time:23:14:50
                                                                                        Start date:03/08/2021
                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:{path}
                                                                                        Imagebase:0xe00000
                                                                                        File size:45152 bytes
                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.495444302.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000012.00000002.495444302.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.501619417.00000000030C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.501619417.00000000030C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        Reputation:high

                                                                                        General

                                                                                        Start time:23:15:19
                                                                                        Start date:03/08/2021
                                                                                        Path:C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe'
                                                                                        Imagebase:0x540000
                                                                                        File size:45152 bytes
                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Antivirus matches:
                                                                                        • Detection: 0%, Metadefender, Browse
                                                                                        • Detection: 0%, ReversingLabs
                                                                                        Reputation:high

                                                                                        General

                                                                                        Start time:23:15:20
                                                                                        Start date:03/08/2021
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                        File size:625664 bytes
                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        General

                                                                                        Start time:23:15:27
                                                                                        Start date:03/08/2021
                                                                                        Path:C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe'
                                                                                        Imagebase:0xda0000
                                                                                        File size:45152 bytes
                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:high

                                                                                        General

                                                                                        Start time:23:15:28
                                                                                        Start date:03/08/2021
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                        File size:625664 bytes
                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high

                                                                                        Disassembly

                                                                                        Code Analysis

                                                                                        Reset < >

                                                                                          Executed Functions

                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (sf$r>K
                                                                                          • API String ID: 0-665553263
                                                                                          • Opcode ID: 2070113132a97a24428cd729d04eaadd823f30aa5fc2af743e35d6a24abf76f0
                                                                                          • Instruction ID: 33eedd04174a1b17308a496aa6ccaed6defb90e1a1a7e382de86f8a65c5088a7
                                                                                          • Opcode Fuzzy Hash: 2070113132a97a24428cd729d04eaadd823f30aa5fc2af743e35d6a24abf76f0
                                                                                          • Instruction Fuzzy Hash: F4B17B70E09219CFEB94CFA5D5805ADFBB2FF89310F25A82AD805B7614D7349806CF84
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: dw&f$dw&f
                                                                                          • API String ID: 0-2238147682
                                                                                          • Opcode ID: 09532fd89ca933ae3aaa9b71ef3bbfdf29087660eca0d9a10ba407f7dd4f09c1
                                                                                          • Instruction ID: 8f546fa092ec40ec84dcc1975d7f50c831565c6ca691aea680af6104d51cdb0a
                                                                                          • Opcode Fuzzy Hash: 09532fd89ca933ae3aaa9b71ef3bbfdf29087660eca0d9a10ba407f7dd4f09c1
                                                                                          • Instruction Fuzzy Hash: 9CA12974E052598FCB44CFA9C940A9EFBF2EF89310F25C52AD804A7714DB349A41CFA4
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: dw&f$dw&f
                                                                                          • API String ID: 0-2238147682
                                                                                          • Opcode ID: 497e708ea73298207a31d27ddd4d11a605042071fc7b108a7817f96fc4257713
                                                                                          • Instruction ID: 8023f4726df10a875b5c033c117f7654291d3223d8235e61dc3ecf01018c96d4
                                                                                          • Opcode Fuzzy Hash: 497e708ea73298207a31d27ddd4d11a605042071fc7b108a7817f96fc4257713
                                                                                          • Instruction Fuzzy Hash: 27A11874E052198FCB44CFA9D540A9EFBF2EF89310F25C52AD805A7758DB349A41CBA4
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: s^(
                                                                                          • API String ID: 0-1818562399
                                                                                          • Opcode ID: c2cd64329a74848a7b22f5310bddaeedff9162ff1aa6e124cc3d2530c112d1b7
                                                                                          • Instruction ID: 69b949c9a5760ee800d013c1d6a52a19165bf0ff6132f1d309ad9a0ea4122eed
                                                                                          • Opcode Fuzzy Hash: c2cd64329a74848a7b22f5310bddaeedff9162ff1aa6e124cc3d2530c112d1b7
                                                                                          • Instruction Fuzzy Hash: 1E71F474E012089FDB44DFA5D8646AEBBB2FF89300F21842AD81ABB354DB345D42CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (sf
                                                                                          • API String ID: 0-3639454497
                                                                                          • Opcode ID: 40af05a0d4cbba5fedb3c61af73bde39ce816d0cb81c1e5cfe3c43faa9c48281
                                                                                          • Instruction ID: 55defe40f03d2c3158ab0c5dfadcb7b02e039d565ba92ffc8f444fbf96eeba5b
                                                                                          • Opcode Fuzzy Hash: 40af05a0d4cbba5fedb3c61af73bde39ce816d0cb81c1e5cfe3c43faa9c48281
                                                                                          • Instruction Fuzzy Hash: 20514B70E09219CFEB94CFA5D58059DFBB2BB8D320F21A82AD815B7A54D33499468F84
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 328737eb6cc43bb6e3f6033969b6724a75c896adb8335a1a73151bf65e48f6d7
                                                                                          • Instruction ID: c8f274a8c6db3e366908025dd845cda6a45396c7a05fb3b2558a4fd301550db7
                                                                                          • Opcode Fuzzy Hash: 328737eb6cc43bb6e3f6033969b6724a75c896adb8335a1a73151bf65e48f6d7
                                                                                          • Instruction Fuzzy Hash: 48D1D030B017048FEB95DB75C460BAE77EAAF89300F25846DD649DBA95CF34D901CB61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d216b510520fdf0a63bc3691767cc68a774e7bffd99ba9df71819c19dc9653d4
                                                                                          • Instruction ID: 4a329969d92c7c2c3948c4845ba9ac6632083b3ae7a53dd4cc8801ec14442d9f
                                                                                          • Opcode Fuzzy Hash: d216b510520fdf0a63bc3691767cc68a774e7bffd99ba9df71819c19dc9653d4
                                                                                          • Instruction Fuzzy Hash: 5A5166B0D0A218DFEF44CFA5E5806DDBBB6EB88310F50A42AE906B7624D7348945CF54
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1060ee092dcc4f9015659cd07879bd29bc3f4f837578949b62262d589d8562aa
                                                                                          • Instruction ID: e029cb3e1149cdb2c267bf55d48ed7caac6596924937b6539b04c6dfee41d6d6
                                                                                          • Opcode Fuzzy Hash: 1060ee092dcc4f9015659cd07879bd29bc3f4f837578949b62262d589d8562aa
                                                                                          • Instruction Fuzzy Hash: CD514770D0A218DFDF44CFA5E5806DDBBB2FB89310F51982AE906B7664DB348945CF14
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e84881d1914c83099a147410fea8577c360f503c129537651ddd1e88d2155f9d
                                                                                          • Instruction ID: d16e5c79776d7bc32c1146587e3a9f90a6746f5ef25abed83c08be1d70dd96a4
                                                                                          • Opcode Fuzzy Hash: e84881d1914c83099a147410fea8577c360f503c129537651ddd1e88d2155f9d
                                                                                          • Instruction Fuzzy Hash: A2617C71E0562A8BDB64CF65CC40BEABBB6EF88300F1185AAD50DA7654EB705AC18F40
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f31df4fb1e413c6a96acbb72f9add6bf43a77874e763f8e1ce7cd9abba7a6c0a
                                                                                          • Instruction ID: 665552d3bee3cf105249ae537ec45c87287b21880d95e8f36b40452a78fd1db9
                                                                                          • Opcode Fuzzy Hash: f31df4fb1e413c6a96acbb72f9add6bf43a77874e763f8e1ce7cd9abba7a6c0a
                                                                                          • Instruction Fuzzy Hash: 61514A71E1562A8BDB68CF65CD407DABBB2FF88300F1186EAC519A7654EB705AC18F40
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f0d2a90b652d0cd642829d3848448c3c7d519a0e23c31be7a3a73cba15172cde
                                                                                          • Instruction ID: 90d628eac299cacd78c598ad222956210b8241a8cf8232a687856a2c761cfb77
                                                                                          • Opcode Fuzzy Hash: f0d2a90b652d0cd642829d3848448c3c7d519a0e23c31be7a3a73cba15172cde
                                                                                          • Instruction Fuzzy Hash: 73512670E5562A8FDB64CF60CD44BD9B7B2FF88300F1186EAD519A7654E7709AC18F40
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 201bdffabed7ee1b3e878396f1a5826e36df4e9fee1a7c8bf356020fcd7849e5
                                                                                          • Instruction ID: bcca4feab7e5b5985b249623e518b73d2993d4a55545c8655709e965567e7603
                                                                                          • Opcode Fuzzy Hash: 201bdffabed7ee1b3e878396f1a5826e36df4e9fee1a7c8bf356020fcd7849e5
                                                                                          • Instruction Fuzzy Hash: 14512870E5521A8FDB64CF64C940BD9B7B2EF88300F1186A6D519A7654EB709AC09F40
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a5e4f6f703ee8735032083aca6a120d00fe3352d5a37f53f59cbada0e3f779ba
                                                                                          • Instruction ID: cc05249e70f6c0901a9831d503b04e5cc013b737080fc028253d4c078ca3ec92
                                                                                          • Opcode Fuzzy Hash: a5e4f6f703ee8735032083aca6a120d00fe3352d5a37f53f59cbada0e3f779ba
                                                                                          • Instruction Fuzzy Hash: C2515B70E5561A8FDBA4CF60CC40BDAB7B2FF88300F1186E6D519A7654EB70AAC19F40
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0695845B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: 90bfb3172848651ae1ffc123aeaece0860d7cc89ca3d8a7a28e3752e76c7f6b0
                                                                                          • Instruction ID: 3def501168c568b696c9b790a4d613cce05300576fe3a0a79f279ea31811b7b1
                                                                                          • Opcode Fuzzy Hash: 90bfb3172848651ae1ffc123aeaece0860d7cc89ca3d8a7a28e3752e76c7f6b0
                                                                                          • Instruction Fuzzy Hash: C0511671D003289FDF60CF99D980BDEBBB5BF48314F158499E908A7210DB759A89CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0695845B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: 2867deef10e0844fbbfc47aee90aea835605882fb4e01110be6cd5eaa621d3d4
                                                                                          • Instruction ID: cd33b9710c88beb9ca4450921cabe861380606412049a59923e45c220f86b9f2
                                                                                          • Opcode Fuzzy Hash: 2867deef10e0844fbbfc47aee90aea835605882fb4e01110be6cd5eaa621d3d4
                                                                                          • Instruction Fuzzy Hash: 50510571D003289FDB60CF99C980BDEBBB5BF48314F15849AE908B7250DB759A88CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C7FE0A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: b04c210a71e677148f6e994a207fdd143415984de37a9be4e6819d78a1a18a3a
                                                                                          • Instruction ID: 397865aaabd997d8f8ad0d6bed14aed692643e0b73b78e4e284ba2dbf0933f47
                                                                                          • Opcode Fuzzy Hash: b04c210a71e677148f6e994a207fdd143415984de37a9be4e6819d78a1a18a3a
                                                                                          • Instruction Fuzzy Hash: 3B5110B1C00349AFDF14CFAAC884ADEBFB5BF48314F24812AE419AB211D7749985CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C7FE0A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: 206bc0a71fdf3edee0c5e125a421dafe7b7cccf8c528721e6a701055c2064151
                                                                                          • Instruction ID: eb3683ec5865e7c243486065c59de95ccc7c91037aa488e8735ec957a2f7ff6a
                                                                                          • Opcode Fuzzy Hash: 206bc0a71fdf3edee0c5e125a421dafe7b7cccf8c528721e6a701055c2064151
                                                                                          • Instruction Fuzzy Hash: EF51D0B1D00349AFDF14CFA9C884ADEBBB5BF48314F24812EE419AB210D7759986CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C7FE0A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: 626d17cea09aafa2e5dd9fb5c87d0244c2076546af5d6e0cbf7e3edea6687bee
                                                                                          • Instruction ID: b2d0ff46ab1e2103501cbf91fd6539dd48aba699a77bec9b650b3f4ffa4cedbb
                                                                                          • Opcode Fuzzy Hash: 626d17cea09aafa2e5dd9fb5c87d0244c2076546af5d6e0cbf7e3edea6687bee
                                                                                          • Instruction Fuzzy Hash: 0B51C2B1D00349AFDF14CF99C984ADEBBB5BF48314F24812AE819AB211D7749985CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 00C75421
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: f6bcd2cb600433331a395857d744e9dc4a8ed4e9889430057ecbbb64049bde59
                                                                                          • Instruction ID: a4bf07650ce7cb3fd230d8310ca92974e94e517a2054165f4fd0a01144f11717
                                                                                          • Opcode Fuzzy Hash: f6bcd2cb600433331a395857d744e9dc4a8ed4e9889430057ecbbb64049bde59
                                                                                          • Instruction Fuzzy Hash: 6041F271D0461CCBDB24DFAAC884B9DBBB5BF48309F608069D408BB251DBB5A985CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 00C75421
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: 8f44b013d71e25e6f8a88a7cbe6270df93c7cf2dbb5e8068d2f425e1459c3e9b
                                                                                          • Instruction ID: 368c0f5249f72ef3165a78dd5db233c3f44395fe2907062a18c2838a34c5aa16
                                                                                          • Opcode Fuzzy Hash: 8f44b013d71e25e6f8a88a7cbe6270df93c7cf2dbb5e8068d2f425e1459c3e9b
                                                                                          • Instruction Fuzzy Hash: E241E471D0461CCBDB14DFA9C844BDDBBB5BF48309F218069D418BB251DBB56985CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06958A55
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: 1bf7192669a7fa9abf31257fbb32413145c430c50c7e12b792ada76e3dab0c1d
                                                                                          • Instruction ID: a77025627ce5a9c56a068ace5a23d9a68a55511e3d1dc747976f8fed78b39c9a
                                                                                          • Opcode Fuzzy Hash: 1bf7192669a7fa9abf31257fbb32413145c430c50c7e12b792ada76e3dab0c1d
                                                                                          • Instruction Fuzzy Hash: 642114B1900359DFCB10CF9AD984BDEBBF4FB48324F14842AE918A3640D778A944CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C7B87E,?,?,?,?,?), ref: 00C7B93F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: 64830d1d27f8efa4ee6212f4bb656ac7d0fcfb8937b82880b2d59fd6b66ba3c1
                                                                                          • Instruction ID: 30cc6aedb8842d2665767415a13dbea487fc9f0a5e25155e1489ed651928f7df
                                                                                          • Opcode Fuzzy Hash: 64830d1d27f8efa4ee6212f4bb656ac7d0fcfb8937b82880b2d59fd6b66ba3c1
                                                                                          • Instruction Fuzzy Hash: 542107B59002489FDB00CF99D584ADEBFF4FB48310F14801AE918A3351D374A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C7B87E,?,?,?,?,?), ref: 00C7B93F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: 7060334e4a0b3fd6acbbda795ef0ae0dd3d80c282fac6e30a644068572ff37b4
                                                                                          • Instruction ID: 2ae8cde150b80643fabed8bd8f92be0699b41b5f8969b01ec4858f064de56a0b
                                                                                          • Opcode Fuzzy Hash: 7060334e4a0b3fd6acbbda795ef0ae0dd3d80c282fac6e30a644068572ff37b4
                                                                                          • Instruction Fuzzy Hash: 0A21D6B59042499FDB10CF99D584BDEBBF8EB48314F14841AE918A3350D374A954DFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069587B7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: 417ec6f90e770003df824d536995fa9653f1b6b651cf1db572bad901ce9a8b6b
                                                                                          • Instruction ID: 995b9b8db91daa96617e8a3a33f6297f9ec2a60771bbf230ae90f8ba60ca5cb5
                                                                                          • Opcode Fuzzy Hash: 417ec6f90e770003df824d536995fa9653f1b6b651cf1db572bad901ce9a8b6b
                                                                                          • Instruction Fuzzy Hash: F22125719003599FCB00CF9AD984BDEBBF4FB48310F10842AE918A3251D338A954DBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06958A55
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: 7e00c5824fbbd94ab866e6652abe229cc8edab228a363be4c6bc77233c844c09
                                                                                          • Instruction ID: b1a0246bef35434cd5dd8d72287aaa79b3d388f830590a8daa90c27f5130edf0
                                                                                          • Opcode Fuzzy Hash: 7e00c5824fbbd94ab866e6652abe229cc8edab228a363be4c6bc77233c844c09
                                                                                          • Instruction Fuzzy Hash: FA2114B1900259DFCF00CF9AD984BDEBBF4FB48324F14842AE918A3650D778A954CF60
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0695956D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: c9c69fa269de9973703348e8afed23bc93c569bc7fb47377d4fa4107d5d37337
                                                                                          • Instruction ID: d938fae9d1f63b98b5f85ac56c44e01e17097d4e6f6ca4a5cf0cdd0f0fb7551b
                                                                                          • Opcode Fuzzy Hash: c9c69fa269de9973703348e8afed23bc93c569bc7fb47377d4fa4107d5d37337
                                                                                          • Instruction Fuzzy Hash: F8219DB18043899FDB11CF99D888BDEBFF8EF09310F15848AD854A7202C374A954CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 069586EF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ContextThread
                                                                                          • String ID:
                                                                                          • API String ID: 1591575202-0
                                                                                          • Opcode ID: 0162a4b7d133efcd98773343d44c615b75a6067d92066f02f6162bde22c46a58
                                                                                          • Instruction ID: b0becf319856fe3245af7772e4233440a4a6372ca001a9b521bb12da857abc1b
                                                                                          • Opcode Fuzzy Hash: 0162a4b7d133efcd98773343d44c615b75a6067d92066f02f6162bde22c46a58
                                                                                          • Instruction Fuzzy Hash: 972138B1E102599FCB00CF9AC9857EEFBF4BB48624F158129D818B3640D778A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069587B7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: 6baa16480f08ece0a3ee079536607a856a5f45fca4615389e6ec5d4597de851c
                                                                                          • Instruction ID: ab7e761b9d5d772d37132717e307580817a575905e7f0311559d19aeaa32687e
                                                                                          • Opcode Fuzzy Hash: 6baa16480f08ece0a3ee079536607a856a5f45fca4615389e6ec5d4597de851c
                                                                                          • Instruction Fuzzy Hash: 4A21E4B59003599FCB10CF9AD984BDEBBF4FB48314F14842AE918A3650D378A554DFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 069586EF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ContextThread
                                                                                          • String ID:
                                                                                          • API String ID: 1591575202-0
                                                                                          • Opcode ID: 8ec4706d2f7ee8633e9cdb652ff655633d903e8e9eab6e5df76b7d20f82c5719
                                                                                          • Instruction ID: fc69e3d9bde3e562674540f7472f128fef816f057a2e3decaa7644ea0f323fe0
                                                                                          • Opcode Fuzzy Hash: 8ec4706d2f7ee8633e9cdb652ff655633d903e8e9eab6e5df76b7d20f82c5719
                                                                                          • Instruction Fuzzy Hash: C5211A71D106599FCB00CF9AC9857EEFBF8BB48614F158129D818B3740D778A954CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C79951,00000800,00000000,00000000), ref: 00C79B62
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 98204b2e5ca452118c7269bd6aabfd1008b2057cdf08092cfeb5b1625f5be300
                                                                                          • Instruction ID: 90238d2b22fb3beb1cc5fd5996c31dcec76d8457ea5109d3f760a9c553486197
                                                                                          • Opcode Fuzzy Hash: 98204b2e5ca452118c7269bd6aabfd1008b2057cdf08092cfeb5b1625f5be300
                                                                                          • Instruction Fuzzy Hash: A41117B29003499FDB10CF9AD444ADEFBF4EB48324F14842AD429B7200C375A945CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C79951,00000800,00000000,00000000), ref: 00C79B62
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: a73f8250b99ccd9f3301294813b71141521417ed4e732bf602d2f8e623405741
                                                                                          • Instruction ID: c46593142a69e8ba56ff1d48e962336b1d9056b7dfac91cf8ffca627675974a3
                                                                                          • Opcode Fuzzy Hash: a73f8250b99ccd9f3301294813b71141521417ed4e732bf602d2f8e623405741
                                                                                          • Instruction Fuzzy Hash: CB11F9B69003499FCB10CF9AD444ADEFBF8FB48714F14852AE529A7640C375A645CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06958873
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: e24723f59d30ddb7299e97030cc0300466b547cf6a09f15781eb3f8a771c608c
                                                                                          • Instruction ID: e9e7bbdb9e950941f4bc656b7c4d37904041c599f068854ab9886d2f20a4b4ce
                                                                                          • Opcode Fuzzy Hash: e24723f59d30ddb7299e97030cc0300466b547cf6a09f15781eb3f8a771c608c
                                                                                          • Instruction Fuzzy Hash: FF1140B6900249DFCB10CF89D984BDEBBF4FB48324F148429E629A3610C735A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06958873
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: dd8d4ed94600ab2f7d0335d2bac5d7f5e932cd19bd653b2be01550e1e96bc0ac
                                                                                          • Instruction ID: 2dca2e304c05c9b0b317f098b02089a3a247a9737e216900fa7859e7201c3987
                                                                                          • Opcode Fuzzy Hash: dd8d4ed94600ab2f7d0335d2bac5d7f5e932cd19bd653b2be01550e1e96bc0ac
                                                                                          • Instruction Fuzzy Hash: 391122B5900248DFCB10CF9AC988BDEBBF8FB48324F148419E929A7610C375A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00C798D6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 932679a883041e24918107dbc94ecf49893c3eb2aef94a507d60848fac65249c
                                                                                          • Instruction ID: 44727eb5de9c9d6a6b3673e9523cc2c59ecb738e570d0f847e6a56d1f4122cfb
                                                                                          • Opcode Fuzzy Hash: 932679a883041e24918107dbc94ecf49893c3eb2aef94a507d60848fac65249c
                                                                                          • Instruction Fuzzy Hash: 5F1104B6C006499FDB10CF9AD444ADEFBF8EB89314F14C42AD429B7640D375A545CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00C7FF28,?,?,?,?), ref: 00C7FF9D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LongWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1378638983-0
                                                                                          • Opcode ID: 666d2a32c2369f562fd9600fbde00fc8b8c69e4f805ed962b429381c08ec38c2
                                                                                          • Instruction ID: 53e98c6f814198a098b5badad046999846994a1ddd51f02454e7fcbd7457ee0f
                                                                                          • Opcode Fuzzy Hash: 666d2a32c2369f562fd9600fbde00fc8b8c69e4f805ed962b429381c08ec38c2
                                                                                          • Instruction Fuzzy Hash: 971103B59002499FDB10CF99D588BDEBBF8EB49324F14841AD828A7741D374AA49CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0695956D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: 4983069d1e86db126597f214eb28a80be3537a350be7f83dde91c50951157622
                                                                                          • Instruction ID: bcf93aa29993ffd22956e825393760eb3ff505cc39839c5c93fe63bdf4411d1d
                                                                                          • Opcode Fuzzy Hash: 4983069d1e86db126597f214eb28a80be3537a350be7f83dde91c50951157622
                                                                                          • Instruction Fuzzy Hash: A41103B5800348DFEB10CF99D888BDEBBF8FB48324F158419E919A7600D375AA54CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00C798D6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 18edcf193ca80a0d01bc7e00103a318a1d7935a2d5e83b707659d28aa4f399c0
                                                                                          • Instruction ID: 8366199212bd9ac69a91e51a6eea54cd1179e68e40f8ed1c5d6dd31d5cc0c832
                                                                                          • Opcode Fuzzy Hash: 18edcf193ca80a0d01bc7e00103a318a1d7935a2d5e83b707659d28aa4f399c0
                                                                                          • Instruction Fuzzy Hash: 331102B1C002498FCB10CF9AD444ADEFBF8EB89324F14841AD429B7640C379A545CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00C7FF28,?,?,?,?), ref: 00C7FF9D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LongWindow
                                                                                          • String ID:
                                                                                          • API String ID: 1378638983-0
                                                                                          • Opcode ID: 072717883ca4251f76608886ea106ca3c665b945eaac7e593473fcda47e9e02e
                                                                                          • Instruction ID: b41ea9f4c196719b0153a6fae06d31e461ac2105132c6c8ed37c07df2620e5c0
                                                                                          • Opcode Fuzzy Hash: 072717883ca4251f76608886ea106ca3c665b945eaac7e593473fcda47e9e02e
                                                                                          • Instruction Fuzzy Hash: 171106B59043489FDB10CF9AD588BDEBBF8EB48324F148419E929B7741C374A944CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0695956D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: 1d2575457f160b560e6ca8f2b0ecf668f41c0a72b99ad320c841181c0aea479b
                                                                                          • Instruction ID: bdd27ef0a6a56dff81d4c2cec7b28f033771ecc430cb4dff7a33ea4847831453
                                                                                          • Opcode Fuzzy Hash: 1d2575457f160b560e6ca8f2b0ecf668f41c0a72b99ad320c841181c0aea479b
                                                                                          • Instruction Fuzzy Hash: 1211F5B59003499FDB10CF99D888BDEBBF8EB48324F14841AE919A7600D375A595CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 1e91578796b04626797f5d50d187785538d4f72d95f9d328cd0c09f0006c383a
                                                                                          • Instruction ID: 0c6f4936a475bb8239bdd662ca40d397dd564db0eb7f8aaab32fe658db239076
                                                                                          • Opcode Fuzzy Hash: 1e91578796b04626797f5d50d187785538d4f72d95f9d328cd0c09f0006c383a
                                                                                          • Instruction Fuzzy Hash: 1A1145B1C002498FCB10DF99D588BDEFBF8FB48324F148419D429A7600D774A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 8e69289aaf83bce02d991e105bc7ee4e28a702c3dd8361e41fef55643090ecbe
                                                                                          • Instruction ID: 7d15fdf7a7b19efe90e040a31f3a932a1f4626923b07519849b263a0cd9804ef
                                                                                          • Opcode Fuzzy Hash: 8e69289aaf83bce02d991e105bc7ee4e28a702c3dd8361e41fef55643090ecbe
                                                                                          • Instruction Fuzzy Hash: 6C1115B18042498FCB10DF9AD588BDEBBF8EB48324F148419D519A7640D775A944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Non-executed Functions

                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: U
                                                                                          • API String ID: 0-3372436214
                                                                                          • Opcode ID: 5ef192959670e49a6872fe1562ec74d076b5149a4e39c0b8b788d6903deb7fe6
                                                                                          • Instruction ID: 78848489bd812403329c2264eca335a8c7c4d0eceab489867863806ce005d5bf
                                                                                          • Opcode Fuzzy Hash: 5ef192959670e49a6872fe1562ec74d076b5149a4e39c0b8b788d6903deb7fe6
                                                                                          • Instruction Fuzzy Hash: CCC13CF1C917458AEB69CF24E8881897BB9FB85328FD04B28D9616B6D0D7B4106ECF44
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f0042abb77d467e4848f673a56a88082a586cbf07d029601ea2280efb889207e
                                                                                          • Instruction ID: fb29312fc2a6eeb8f28508eb3e2fd4bce4b0d7fc9986857d1683c7927c342559
                                                                                          • Opcode Fuzzy Hash: f0042abb77d467e4848f673a56a88082a586cbf07d029601ea2280efb889207e
                                                                                          • Instruction Fuzzy Hash: 0F12FCF1C917468AEB79CF24E8881893BB8F745328FD04A28C9616BAD0D7B4116ECF44
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 88b759cb7704fd9de75ccb48582b1691eb1a234f8ee8afc02c1996dbd9b3c33d
                                                                                          • Instruction ID: ac775094ae4eac7856a8cebb3c4cefb178252817048520223e0b206b24615de3
                                                                                          • Opcode Fuzzy Hash: 88b759cb7704fd9de75ccb48582b1691eb1a234f8ee8afc02c1996dbd9b3c33d
                                                                                          • Instruction Fuzzy Hash: 77C10B74E042598FCB54DF65C9809ADFBF2FF89304F2581A9D808A7356D731A982CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.331581931.0000000000C70000.00000040.00000001.sdmp, Offset: 00C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2192595d3d096771b3afee3f3dd9b6e06d38b07d199de97ccbc2e89ecf806e6d
                                                                                          • Instruction ID: 683f6eef5a9f7054c9cc50e72df611ca9f88ab3d621bea32d12ca3e1f18a58ca
                                                                                          • Opcode Fuzzy Hash: 2192595d3d096771b3afee3f3dd9b6e06d38b07d199de97ccbc2e89ecf806e6d
                                                                                          • Instruction Fuzzy Hash: 74A16032E0021A8FCF15DFB5C88459DBBB2FF85300F15856AE91ABB261DB31A915DB80
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: acb72a1585624e44be6a2f9f32d40ac6125b3655fce4267f0f966a9f660eeecd
                                                                                          • Instruction ID: 58111c669e77b73895dc6036f07a403a319ea66f4188e1ed8ef3faaa3c47341f
                                                                                          • Opcode Fuzzy Hash: acb72a1585624e44be6a2f9f32d40ac6125b3655fce4267f0f966a9f660eeecd
                                                                                          • Instruction Fuzzy Hash: 6DC1FA74E042598FCB54DF65C9809ADFBF2FF89304F2581A9D808A7356D731A982CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d9a84b2b29c24b7d465b1557b8592a9a17d906e37343b208d87e2d77f39c90f7
                                                                                          • Instruction ID: c83ea09cf23786c141b2867263d1d7a5c1bbf77d7cc00ee65b27d5d8b4c35e58
                                                                                          • Opcode Fuzzy Hash: d9a84b2b29c24b7d465b1557b8592a9a17d906e37343b208d87e2d77f39c90f7
                                                                                          • Instruction Fuzzy Hash: 80718B70E0620A8FDB44CFEAD4805AEFBF2EF89310F15D82AD915A7714D7349A418FA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f6350af9b0422896d7f116af12c6ea9340937336dacfe87a0cb233621db58f1e
                                                                                          • Instruction ID: 8968985761fa24341d5f39bcebb6d39a91f892e754de30d5d6ea692b268c147c
                                                                                          • Opcode Fuzzy Hash: f6350af9b0422896d7f116af12c6ea9340937336dacfe87a0cb233621db58f1e
                                                                                          • Instruction Fuzzy Hash: 82718E74E0620A8FDB44CFEAD4805AEFBF2EB89310F15D42AD915A7754D7349A418FA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f9f906d7595b98910c529c27179fc0e072e4a246f2022490dfcad1488199f7af
                                                                                          • Instruction ID: 8bde5e2204d424bf3badc6e7875f70fbfdc534d04132502f920c49b3218a9282
                                                                                          • Opcode Fuzzy Hash: f9f906d7595b98910c529c27179fc0e072e4a246f2022490dfcad1488199f7af
                                                                                          • Instruction Fuzzy Hash: 736137B4E0520ACFEB84CFE5D9905EEBBB2FB89310F51982AC816B7714D73499418F94
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6aaf5b3e1c8449fc9830e78b7e4ec5a25663625d4a0bbadf50c25cfc9c49e195
                                                                                          • Instruction ID: ee4de4ef1a0ad86346aa6228d7bd918c780ec50fa06783c8926ad76ac084e43b
                                                                                          • Opcode Fuzzy Hash: 6aaf5b3e1c8449fc9830e78b7e4ec5a25663625d4a0bbadf50c25cfc9c49e195
                                                                                          • Instruction Fuzzy Hash: CC6138B4E05209CFDB84CFA5D5805EEBBB2FF89310F51982AC815B7714D73459468F94
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ea93bf29b80fbc4887cfb8aa10341725b955877e1d79513ead352f0bc1dc6dea
                                                                                          • Instruction ID: 2c75a91143d7ce095846379db3752da3fb415ee7e5e37a461a2c08f9a80ce89c
                                                                                          • Opcode Fuzzy Hash: ea93bf29b80fbc4887cfb8aa10341725b955877e1d79513ead352f0bc1dc6dea
                                                                                          • Instruction Fuzzy Hash: 69517E70E156598FDB94CF65D840B9EBBF2BF89300F15C0AAD908E7261DB305A85CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1944f75c3f8b0624e32ac78984a2cea13ded225530d988b73cc686243f3a749a
                                                                                          • Instruction ID: 233e53bc6a13b022abc6b5e69476d9e2f03660ec3a436b3323a7c81a549cad10
                                                                                          • Opcode Fuzzy Hash: 1944f75c3f8b0624e32ac78984a2cea13ded225530d988b73cc686243f3a749a
                                                                                          • Instruction Fuzzy Hash: 8B415770E09649CFCB49CFA9C8404DEFBB2FF8A314F29C5AAC805AB251D7345A45CB65
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fe1034152915aaa148959894eca003055d9c0d8ab4fc5fa42ea96a06bbfe7152
                                                                                          • Instruction ID: 5e0b3169e1d70e2825e63bcdee3394c431fc6d813e97da757278f65ae60309d3
                                                                                          • Opcode Fuzzy Hash: fe1034152915aaa148959894eca003055d9c0d8ab4fc5fa42ea96a06bbfe7152
                                                                                          • Instruction Fuzzy Hash: 48418A71E15209DFDB44CFA5D8546AEBBB2FF89200F10C4AAC811B7765D7389A05CF94
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 12d25e4f4ca90667b6c3b39dca299360509ef361cabaae4094657cd7e73dbd68
                                                                                          • Instruction ID: 35810fdfb335329f747b833a64c69633b650135afc78654d5564ac6a96f8bb9a
                                                                                          • Opcode Fuzzy Hash: 12d25e4f4ca90667b6c3b39dca299360509ef361cabaae4094657cd7e73dbd68
                                                                                          • Instruction Fuzzy Hash: 6C410871E156188FDB54CF6AD840B9EBBF6BF88310F14C0AAD909A7264DB305A858F91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 43f57c6d535c70427cbb74b6f5316edd210ce358b7e69c750d009123c30f270d
                                                                                          • Instruction ID: 162b905513babafd0f073506839dd42d691cdc638a08bcd3cb29d10ca70cf3b3
                                                                                          • Opcode Fuzzy Hash: 43f57c6d535c70427cbb74b6f5316edd210ce358b7e69c750d009123c30f270d
                                                                                          • Instruction Fuzzy Hash: 2F411874E152198FDB58CF6AD954A9EFBF6FF88200F1480AAD908A7324D7305A45CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f17b5a641d5fd2ea9dd32581f4f2da12a1994e736f0ed615e50060beed6da5a1
                                                                                          • Instruction ID: a2edb8752083abacb3c1208de1eea9d22555e91693b713f5150d3bbf5ffff4fd
                                                                                          • Opcode Fuzzy Hash: f17b5a641d5fd2ea9dd32581f4f2da12a1994e736f0ed615e50060beed6da5a1
                                                                                          • Instruction Fuzzy Hash: B9411D70E156198FDB54CF66D940B9EBBF2FF89300F15C0A9D908A7265DB309A81CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ca740f0fa6627f0cbe521bd26f75bd6deb3bae938ec9686e782f331e1eaf5d1d
                                                                                          • Instruction ID: 6801011e281ad82e8c52f38f9a4269c2e946d68bba20f661f48bea8de20dd232
                                                                                          • Opcode Fuzzy Hash: ca740f0fa6627f0cbe521bd26f75bd6deb3bae938ec9686e782f331e1eaf5d1d
                                                                                          • Instruction Fuzzy Hash: 47415870E152198FDB58CF69D95469EFBF2BF88200F14C0AAD808A7364DB308E45CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 09b4aeabc3aac5a8be223e5cb6254a1ebeeaa28f0ca766655e62e1f08fff8a3a
                                                                                          • Instruction ID: ac2238f19679f7c05547af42ed4c4e9f38659609776249e5b9f2e450e0da8144
                                                                                          • Opcode Fuzzy Hash: 09b4aeabc3aac5a8be223e5cb6254a1ebeeaa28f0ca766655e62e1f08fff8a3a
                                                                                          • Instruction Fuzzy Hash: AF411A70E156198FDB58CF69D980B9EBBF2BF89300F14C0AAD509A7264DB305A81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cbd40701eb98e5b4bafbb41291e955c7108a8e0add50f8396667a021451277d9
                                                                                          • Instruction ID: ee75be249526e4b1a95b9ce658b259a647c0b4d437134444a361c8f3cf37998c
                                                                                          • Opcode Fuzzy Hash: cbd40701eb98e5b4bafbb41291e955c7108a8e0add50f8396667a021451277d9
                                                                                          • Instruction Fuzzy Hash: BA31D671E056188BEB58CFABD85079EFAF3AFC9300F14C0BAC908A7254EB305A418F51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.342215815.0000000006950000.00000040.00000001.sdmp, Offset: 06950000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a7fa0d263f9664339b4c942727923bc91618320b50f03ecbc14b24c5ea3c976b
                                                                                          • Instruction ID: 1a24eeb5545d96064a213e3ae939c120b4f67c2381db18833ad80fb86e0b273f
                                                                                          • Opcode Fuzzy Hash: a7fa0d263f9664339b4c942727923bc91618320b50f03ecbc14b24c5ea3c976b
                                                                                          • Instruction Fuzzy Hash: 9931E871E056188FEB58CF6BD85079EBAF3AFC9300F15C0BAC509A7254EB344A468F55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Executed Functions

                                                                                          APIs
                                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 0153BE72
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.499685036.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: EncodePointer
                                                                                          • String ID: U
                                                                                          • API String ID: 2118026453-3372436214
                                                                                          • Opcode ID: 84fa4877038f15f9bc11854bf49000868e0751466c28e5bd030f05a3ef03b877
                                                                                          • Instruction ID: e720686661f5eb60b41b7465d8d9f301455fd1da00950c32af0b9e7391d6077e
                                                                                          • Opcode Fuzzy Hash: 84fa4877038f15f9bc11854bf49000868e0751466c28e5bd030f05a3ef03b877
                                                                                          • Instruction Fuzzy Hash: 7D21ACB59093858FEB21DFA9C94839EBFF8FB49314F14846AD449A7242D7385808CF72
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015352A2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.499685036.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: 65985f6a426195ec67cab50fbde2644226302f48a7b8388e22b5f9bef0a99729
                                                                                          • Instruction ID: 67803210d36816821ee571a90f22c1367ed0345dbe5fb4da75b164fc34bf34ba
                                                                                          • Opcode Fuzzy Hash: 65985f6a426195ec67cab50fbde2644226302f48a7b8388e22b5f9bef0a99729
                                                                                          • Instruction Fuzzy Hash: 2451C1B1D10349DFDF14CF99C884ADEBBB5BF88314F24852AE819AB210E7749885CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015352A2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.499685036.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: e8b1547b31571ec21f2c8efa9fc06761cb7f689f39052fe0fb4a4edfd9e0c120
                                                                                          • Instruction ID: e3040a0ce1fa619fbb73499ae0bdf598f5cf7ff1a1555c83f7e86e7930f7bd17
                                                                                          • Opcode Fuzzy Hash: e8b1547b31571ec21f2c8efa9fc06761cb7f689f39052fe0fb4a4edfd9e0c120
                                                                                          • Instruction Fuzzy Hash: C651C0B1D10349DFDF14CF99C984ADEBBB5BF88314F24852AE819AB210E7749985CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01536DFF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.499685036.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: 186c849dbc9d53688616e76dcf82bc4549d45cf2af2c4c8a5c043473a346aac3
                                                                                          • Instruction ID: 3c972e3e3926a4242a61f7f293f601eb17ca43be69cbdbf4436a5b1da5fdeed0
                                                                                          • Opcode Fuzzy Hash: 186c849dbc9d53688616e76dcf82bc4549d45cf2af2c4c8a5c043473a346aac3
                                                                                          • Instruction Fuzzy Hash: 16416EB4A40348DFE705CF60E589BA93BA5F788324F108029F906ABBC4CB795945CF62
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 01537CF9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.499685036.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CallProcWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2714655100-0
                                                                                          • Opcode ID: a1876b2e448dfcc53789de9e3910f3b6929f9d928766eaec78f2217bb9819402
                                                                                          • Instruction ID: 43d7d7f23da3399f258bb981cd3e12f42de95f44a31152a3f9292cd521e03ecf
                                                                                          • Opcode Fuzzy Hash: a1876b2e448dfcc53789de9e3910f3b6929f9d928766eaec78f2217bb9819402
                                                                                          • Instruction Fuzzy Hash: 414128B5A00349CFDB14CF99C488AAABBF5FB8C314F14C859D519AB351D774A941CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01536DFF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.499685036.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: 1647256d03ede1b38a76ea33c68825461f8e92b9f16c6350fd7a472685d7ecf3
                                                                                          • Instruction ID: 1ef3752063f7aac890e72e49741378c3af88a95adf8892a56a550e13558adee1
                                                                                          • Opcode Fuzzy Hash: 1647256d03ede1b38a76ea33c68825461f8e92b9f16c6350fd7a472685d7ecf3
                                                                                          • Instruction Fuzzy Hash: D421E6B5900249AFDB10CF99D884ADEBFF8FB48324F14841AE914B7310D374A954DFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01536DFF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.499685036.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: dfe0c93504f90ad58d21ac4a262da300fde2682946f08ae6673ad5165ba79eb7
                                                                                          • Instruction ID: 3ad55340d400d8efeebad42fbaeb7ae6a15b40811e1e23af4fe13090de97974e
                                                                                          • Opcode Fuzzy Hash: dfe0c93504f90ad58d21ac4a262da300fde2682946f08ae6673ad5165ba79eb7
                                                                                          • Instruction Fuzzy Hash: DF21C6B59002499FDB10CF99D584ADEBBF4FB48314F14841AE914A7350D374A954DFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          APIs
                                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 0153BE72
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000012.00000002.499685036.0000000001530000.00000040.00000001.sdmp, Offset: 01530000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: EncodePointer
                                                                                          • String ID:
                                                                                          • API String ID: 2118026453-0
                                                                                          • Opcode ID: cfd0bd87582de0aaf4914a891119598a82500bbc5908fb8ce1956d7c59c3f669
                                                                                          • Instruction ID: e339d4cc88647f6e0e3457e0967a79461eae3680da798b20b50d0244258e2117
                                                                                          • Opcode Fuzzy Hash: cfd0bd87582de0aaf4914a891119598a82500bbc5908fb8ce1956d7c59c3f669
                                                                                          • Instruction Fuzzy Hash: 01115CB19053498FEB20DFA9C5487DEBBF8FB48314F14842AD509A7641DB395944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Non-executed Functions

                                                                                          Executed Functions

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.394653453.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2442f0e330c8afd624f287ad11c9ca6edb4cb9746b4f0e5dd6f50f38bd376b6b
                                                                                          • Instruction ID: 347ba516ba9b63466efafa71cc745a4fbe5bbb8dd81319572a1fa66957f7f8fd
                                                                                          • Opcode Fuzzy Hash: 2442f0e330c8afd624f287ad11c9ca6edb4cb9746b4f0e5dd6f50f38bd376b6b
                                                                                          • Instruction Fuzzy Hash: A2326174705A01CFD724EF64E89476E73A2FBC6309F248968D54287798DB71EC86CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.394653453.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 48a145f89399b20fa6f423f7823b705a9ea8a8338f6a2fe753ecf5278f17dc99
                                                                                          • Instruction ID: b24c626d99d2db6282b7e781629c2caaa450028dca7aaeb6f58491ecbac914a2
                                                                                          • Opcode Fuzzy Hash: 48a145f89399b20fa6f423f7823b705a9ea8a8338f6a2fe753ecf5278f17dc99
                                                                                          • Instruction Fuzzy Hash: DE315B71904384CFDB25EB64C8247DF7FB2AF8A304F0984A5D501A7A61CB749C88DBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.394653453.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 07b0ecb999907dcc1696c1beb05b76e7045fd775b3b98c10b9e627c1b600cebe
                                                                                          • Instruction ID: dff566a9dc5ad0e1cb7177d81ecb9934123f578e34663d24ab28654e709c0af6
                                                                                          • Opcode Fuzzy Hash: 07b0ecb999907dcc1696c1beb05b76e7045fd775b3b98c10b9e627c1b600cebe
                                                                                          • Instruction Fuzzy Hash: 8C71F235A007448FDB299FA4C8187AEBBF2EF89300F198569D506A77A4DF70EC85DB50
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.394653453.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4441501dab08e3f015dd3731b4741a54b6bf5a3f9d84db23779e138536840850
                                                                                          • Instruction ID: 651edd41c4abcabd7b49886d22b7f70a64631fc39ba2a2084bb5b55a64d7accb
                                                                                          • Opcode Fuzzy Hash: 4441501dab08e3f015dd3731b4741a54b6bf5a3f9d84db23779e138536840850
                                                                                          • Instruction Fuzzy Hash: 47318C71B052508FC759AB38C56492D37E1AF8A31931204B9E506CF7B1DB32DC86CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.394653453.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b3285d69845f88920a9be09e82945ef2764f589255dce7a86e494033abb92809
                                                                                          • Instruction ID: 95fdc3e42dde3f98cf3e1b21693ffd5e3a39cabd2e8b756b36fed3c8600cb76f
                                                                                          • Opcode Fuzzy Hash: b3285d69845f88920a9be09e82945ef2764f589255dce7a86e494033abb92809
                                                                                          • Instruction Fuzzy Hash: CF2119757011508FCB58AB38C56896D33E2AF8971935208B9E506CF775DF32DC86CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.394653453.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: edc1b99601527f4ace43d0f2e42ea0d7740a5631b7ece376c890f769921e72da
                                                                                          • Instruction ID: 362ffcdfab120c75341d1f85fd33c122b2b813bf26527a8f973787424b977a8f
                                                                                          • Opcode Fuzzy Hash: edc1b99601527f4ace43d0f2e42ea0d7740a5631b7ece376c890f769921e72da
                                                                                          • Instruction Fuzzy Hash: 7F11C875E006459FCB00EFB4D8449DEFBB1FF8A300F1086AAE515D7621D7709945CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.394653453.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ef408ae5db49b2662ed20c126f3f2aa5b8ea1d964d750de7f9311e5b1147300d
                                                                                          • Instruction ID: 65d1cb895f4e689229d7c38ed4312930fbb3741f30d35761ee325d4e0f6a7bb5
                                                                                          • Opcode Fuzzy Hash: ef408ae5db49b2662ed20c126f3f2aa5b8ea1d964d750de7f9311e5b1147300d
                                                                                          • Instruction Fuzzy Hash: AB015275E006059FCB40EFB8D9448DEFBB5FF892107108666E515D7621E730A955CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.394653453.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 13a9034f1a802f79ed5a8824bec233689b2ea6340885d24223d5038803e43bf7
                                                                                          • Instruction ID: 95cce72009cd3939bfdf25b70b5646bcddca00ed87a1d1870080d97d82f08c9b
                                                                                          • Opcode Fuzzy Hash: 13a9034f1a802f79ed5a8824bec233689b2ea6340885d24223d5038803e43bf7
                                                                                          • Instruction Fuzzy Hash: 68F01C71900205CFDB14EBA4C6587AE7BF0AB09318F250858D142A77A1CB749D88CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.394653453.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fade90bfce72c26425ba1995247ff29385ede74c9eadde482b6ed13add495024
                                                                                          • Instruction ID: 23151e96b9531b24b9625c4863514b175be7821231f7a7f0fb9862269a414fd8
                                                                                          • Opcode Fuzzy Hash: fade90bfce72c26425ba1995247ff29385ede74c9eadde482b6ed13add495024
                                                                                          • Instruction Fuzzy Hash: F1D012357002149FC714EB68E909A4577A8AB05611F114195E504DB294DA61DD14C7D1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.394653453.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1498bb3f85e0c62aded4692277018cbe85ed82729996d89c8547234cc803f1db
                                                                                          • Instruction ID: ad64ccfb74ee1096a56d2b797bcf0081ac2159af22762b5753f03883fdf93069
                                                                                          • Opcode Fuzzy Hash: 1498bb3f85e0c62aded4692277018cbe85ed82729996d89c8547234cc803f1db
                                                                                          • Instruction Fuzzy Hash: CED067B1D00229AF8B40EFB999052DEBBF8FA09251B1145A6DA59E3200E6709A10CBE1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Non-executed Functions

                                                                                          Executed Functions

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000017.00000002.411728418.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c1e7388c266890c97a7f074f9f6f9b272a003c0015f20293387030894292514f
                                                                                          • Instruction ID: b92462cc6bea1a5a684a17949a505037f2bd56902ca1ce318a800f1cc2b9e037
                                                                                          • Opcode Fuzzy Hash: c1e7388c266890c97a7f074f9f6f9b272a003c0015f20293387030894292514f
                                                                                          • Instruction Fuzzy Hash: F6328E34B05A05CFC728DF69F59066A73F6FF89209F148968C4528B784DB35EC8ACB91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000017.00000002.411728418.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 33207cf183554920b2efd0d3cebacb944e74b775e604f93c2dd22880dab48cb2
                                                                                          • Instruction ID: 35b40c2aec556d11c340f40dd98af1c5211d874bed8bddfe0723110871f2db3c
                                                                                          • Opcode Fuzzy Hash: 33207cf183554920b2efd0d3cebacb944e74b775e604f93c2dd22880dab48cb2
                                                                                          • Instruction Fuzzy Hash: 4781F231A047498FCB25CFA4E4146AEBBF2EF89314F058929D412AB764DF34AC89DB40
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000017.00000002.411728418.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 58f2ab4449dbbfdbfb6d2ab2ea7036214caf1ae7307c822eeb8e13739fc34d9d
                                                                                          • Instruction ID: 0a8a310c0caa97792d1a920cb759a59c0fb6cb014396e0daf8bcc151255e5d46
                                                                                          • Opcode Fuzzy Hash: 58f2ab4449dbbfdbfb6d2ab2ea7036214caf1ae7307c822eeb8e13739fc34d9d
                                                                                          • Instruction Fuzzy Hash: DF315975B012508FCB58EB78C56896D33E1AF8961831208BDE406CFB71DB35DC86CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000017.00000002.411728418.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1318a5d9a790a281cbaf088b4be6132a25df20b9ff3f9bddd3f442a2adc78aed
                                                                                          • Instruction ID: 3746a0eca4c0c499c0edb78eded259953dce303bb7004d8f7af10251e32350ae
                                                                                          • Opcode Fuzzy Hash: 1318a5d9a790a281cbaf088b4be6132a25df20b9ff3f9bddd3f442a2adc78aed
                                                                                          • Instruction Fuzzy Hash: 3A213975B011508FCB58AB38D56886D33E2AF8961935208B9E506CFB71DF32DC86CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000017.00000002.411728418.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 21b774a612d314db87f56ea0e87618b6625ff2f121d8579df9b070899e18dc91
                                                                                          • Instruction ID: 01d4b71a71f663cd4392960e838a1ff28171f986f9bf36e5fcb2ab9c40f75ec8
                                                                                          • Opcode Fuzzy Hash: 21b774a612d314db87f56ea0e87618b6625ff2f121d8579df9b070899e18dc91
                                                                                          • Instruction Fuzzy Hash: 1D11E135E002099FCB44DFB9E9449EEBBF5FF89200B10826AE51597721E7349955CF80
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000017.00000002.411728418.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 99594445a0bceaa701bb2b2c16d5801fa7f181fe289862014d7b85a8c620c4e8
                                                                                          • Instruction ID: 535a22a1ac755f1d165da36868d8c73437e7b0b7d64677ac682c2bd816bcb217
                                                                                          • Opcode Fuzzy Hash: 99594445a0bceaa701bb2b2c16d5801fa7f181fe289862014d7b85a8c620c4e8
                                                                                          • Instruction Fuzzy Hash: 73019E35E002099FCB40DFB9D9408EEFBB5FF8D200710826AE515DB721EB34A999CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000017.00000002.411728418.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ab6a8cf1a25f4b1b2a63eebb0ce8b817913c972fbb9f69c60f731b309e5c7052
                                                                                          • Instruction ID: f1f0887411413bcef0ad3eda0212d8c97033f39d7f7eefb868a162639d9258c0
                                                                                          • Opcode Fuzzy Hash: ab6a8cf1a25f4b1b2a63eebb0ce8b817913c972fbb9f69c60f731b309e5c7052
                                                                                          • Instruction Fuzzy Hash: 24F03071D0E3845FCB42DBB869140DEBFF0AD47610B1645EBC489DB156E2644A0AD752
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000017.00000002.411728418.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ec142ad45009829c35c1c4acd9da86c8493bb55b621f07b3e9798f55e27143f9
                                                                                          • Instruction ID: 463fc9fcd2375a2a7ffcacedd1c5fe140c46df31f8f4495582636b4a4edaec0b
                                                                                          • Opcode Fuzzy Hash: ec142ad45009829c35c1c4acd9da86c8493bb55b621f07b3e9798f55e27143f9
                                                                                          • Instruction Fuzzy Hash: 71F01C71A056098FDB14DBA8E5597AD7BF0AB08218F160858D412AB395CB749988CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000017.00000002.411728418.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 472c59c0ca82acf735594221c70b536532f62f13a27aa3baa7001a5f39d5205b
                                                                                          • Instruction ID: 79683ee5137f952f401dcd2a91d14d730d616bbe9d86aedb5374ec594d88c614
                                                                                          • Opcode Fuzzy Hash: 472c59c0ca82acf735594221c70b536532f62f13a27aa3baa7001a5f39d5205b
                                                                                          • Instruction Fuzzy Hash: 97D05B317002149FC714EB79F909A4A77F8EF09611F114055E904CB255DB71DD14CBD1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000017.00000002.411728418.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: baa343d5e6f7789ae1712e1d77bebf8c900b66331f0a9ed6d9c8100c9a61e683
                                                                                          • Instruction ID: 4ac49eda65fef6f2e39ba834592448faeebf474501bd85076580fdc7ddf2be50
                                                                                          • Opcode Fuzzy Hash: baa343d5e6f7789ae1712e1d77bebf8c900b66331f0a9ed6d9c8100c9a61e683
                                                                                          • Instruction Fuzzy Hash: A4D067B1D0522DAF8B50EFFDA9051EEBBF8EA08250B1149A6D919E7204E6705A148BD1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Non-executed Functions