Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report IN00043Q1098157INBOM_PDF.scr

Overview

General Information

Sample Name:IN00043Q1098157INBOM_PDF.scr (renamed file extension from scr to exe)
Analysis ID:483913
MD5:c2ce5a6ac6a3f64917af0f6ea60c04e5
SHA1:4f04822fbc2e6c2cbcd529ffbf13fe0e69d0ef8b
SHA256:4220609cfa7ee56eb45421d8c08257f828c06bb8ebf0bc602cff01609107c6c4
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • IN00043Q1098157INBOM_PDF.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe' MD5: C2CE5A6AC6A3F64917AF0F6EA60C04E5)
    • powershell.exe (PID: 6652 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_compiler.exe (PID: 5364 cmdline: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "z6@pa-ksa.com", "Password": "7mgTt7HCBo3_tl@", "Host": "secure300.inmotionhosting.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.441498436.00000000031FD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.441498436.00000000031FD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000001B.00000002.481444903.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.IN00043Q1098157INBOM_PDF.exe.42ef140.11.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.IN00043Q1098157INBOM_PDF.exe.42ef140.11.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                27.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  27.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.IN00043Q1098157INBOM_PDF.exe.43a3ce8.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 9 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20, CommandLine|base64offset|contains: Jy, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe' , ParentImage: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe, ParentProcessId: 6352, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20, ProcessId: 6652
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132762211537809114.6652.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.IN00043Q1098157INBOM_PDF.exe.43f3d08.14.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "z6@pa-ksa.com", "Password": "7mgTt7HCBo3_tl@", "Host": "secure300.inmotionhosting.com"}
                      Machine Learning detection for sampleShow sources
                      Source: IN00043Q1098157INBOM_PDF.exeJoe Sandbox ML: detected
                      Source: 27.2.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: IN00043Q1098157INBOM_PDF.exe
                      Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, aspnet_compiler.exe.0.dr
                      Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256/ source: IN00043Q1098157INBOM_PDF.exe
                      Source: aspnet_compiler.exe, 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: aspnet_compiler.exe, 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: aspnet_compiler.exe, 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpString found in binary or memory: http://ISXesm.com
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://james.newtonking.com/projects/json
                      Source: powershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://ocsp.digicert.com0C
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://ocsp.digicert.com0K
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://ocsp.digicert.com0N
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: http://ocsp.digicert.com0O
                      Source: powershell.exe, 00000004.00000002.350935626.0000000007773000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000004.00000002.346116296.00000000048B2000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngH
                      Source: powershell.exe, 00000004.00000002.345882415.0000000004771000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: powershell.exe, 00000004.00000002.350935626.0000000007773000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000004.00000002.346116296.00000000048B2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlH
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.437566275.0000000006050000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224188494.0000000006096000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224137907.0000000006096000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html:3
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.440850247.0000000001867000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com/designersa6
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224277676.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comX
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224277676.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma4
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224277676.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224783246.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.437566275.0000000006050000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.437566275.0000000006050000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiona
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224277676.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituF-
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224783246.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituFQ
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224783246.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitud
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224783246.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.219288579.0000000006057000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.226033077.0000000006057000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.226033077.0000000006057000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/n
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.220902698.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.220902698.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/4
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oH
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vnoJ
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/waC
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: powershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000004.00000002.350935626.0000000007773000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000004.00000002.346116296.00000000048B2000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/PesterH
                      Source: powershell.exe, 00000004.00000002.349199494.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: https://www.digicert.com/CPS0
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: https://www.newtonsoft.com/json
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: https://www.newtonsoft.com/jsonschema
                      Source: IN00043Q1098157INBOM_PDF.exeString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.441498436.00000000031FD000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000001B.00000002.481444903.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: aspnet_compiler.exe, 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.438643894.00000000013E8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeCode function: 0_2_00D520500_2_00D52050
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeCode function: 0_2_0162C1340_2_0162C134
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeCode function: 0_2_0162E5680_2_0162E568
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeCode function: 0_2_0162E5780_2_0162E578
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeCode function: 0_2_00D56F3F0_2_00D56F3F
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeCode function: 0_2_00D55DE20_2_00D55DE2
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_047508584_2_04750858
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07858DE04_2_07858DE0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078500144_2_07850014
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_078500404_2_07850040
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_053B46E027_2_053B46E0
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_053B465027_2_053B4650
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_053B469227_2_053B4692
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_053B46D227_2_053B46D2
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_053BD35027_2_053BD350
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_061A753027_2_061A7530
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_061A90F027_2_061A90F0
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_061A691827_2_061A6918
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_061A6C6027_2_061A6C60
                      Source: IN00043Q1098157INBOM_PDF.exeBinary or memory string: OriginalFilename vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.439411203.0000000001530000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameGexjantftnrclnlpo.dllD vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.441498436.00000000031FD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBqppZujFnZRDUhZjEPpNfXEpLZgMl.exe4 vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.438643894.00000000013E8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.442249065.0000000004191000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAtexwtottfz.dll" vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000000.213953537.0000000000D52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000000.213953537.0000000000D52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSSGG1.exe: vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exeBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs IN00043Q1098157INBOM_PDF.exe
                      Source: IN00043Q1098157INBOM_PDF.exeBinary or memory string: OriginalFilenameSSGG1.exe: vs IN00043Q1098157INBOM_PDF.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe A1661DB1B74B876A7E789FC6EBB4E34BEAFA2B48A08E13FD18927FBECC9D2AC4
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe 'C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe'
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20Jump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IN00043Q1098157INBOM_PDF.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeJump to behavior
                      Source: classification engineClassification label: mal80.troj.evad.winEXE@6/7@0/0
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_01
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: IN00043Q1098157INBOM_PDF.exe
                      Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, aspnet_compiler.exe.0.dr
                      Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256/ source: IN00043Q1098157INBOM_PDF.exe
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_061A7EFA push 8BF04589h; iretd 27_2_061A7F84
                      Source: IN00043Q1098157INBOM_PDF.exeStatic PE information: 0xBA8C4F5A [Wed Mar 6 01:05:30 2069 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.06744291098
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeJump to dropped file
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe TID: 6356Thread sleep time: -34000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe TID: 6388Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5592Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6808Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 6524Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 6496Thread sleep count: 284 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe TID: 6496Thread sleep count: 9581 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2062Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1443Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeWindow / User API: threadDelayed 9581Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: powershell.exe, 00000004.00000002.347257927.0000000004BB2000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                      Source: powershell.exe, 00000004.00000002.347257927.0000000004BB2000.00000004.00000001.sdmpBinary or memory string: i:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.438821139.0000000001421000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.438821139.0000000001421000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20Jump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeJump to behavior
                      Source: aspnet_compiler.exe, 0000001B.00000002.485882884.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: aspnet_compiler.exe, 0000001B.00000002.485882884.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: aspnet_compiler.exe, 0000001B.00000002.485882884.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: aspnet_compiler.exe, 0000001B.00000002.485882884.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeQueries volume information: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeCode function: 27_2_061A63F4 GetUserNameW,27_2_061A63F4

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.IN00043Q1098157INBOM_PDF.exe.42ef140.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IN00043Q1098157INBOM_PDF.exe.43a3ce8.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IN00043Q1098157INBOM_PDF.exe.43f3d08.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IN00043Q1098157INBOM_PDF.exe.43f3d08.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IN00043Q1098157INBOM_PDF.exe.43a3ce8.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IN00043Q1098157INBOM_PDF.exe.437bcc8.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.441498436.00000000031FD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.481444903.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.442771360.00000000043F3000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.442693182.0000000004363000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.442575093.00000000042EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: IN00043Q1098157INBOM_PDF.exe PID: 6352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5364, type: MEMORYSTR
                      Source: Yara matchFile source: 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5364, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.IN00043Q1098157INBOM_PDF.exe.42ef140.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IN00043Q1098157INBOM_PDF.exe.43a3ce8.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IN00043Q1098157INBOM_PDF.exe.43f3d08.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IN00043Q1098157INBOM_PDF.exe.43f3d08.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IN00043Q1098157INBOM_PDF.exe.43a3ce8.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.IN00043Q1098157INBOM_PDF.exe.437bcc8.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.441498436.00000000031FD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.481444903.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.442771360.00000000043F3000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.442693182.0000000004363000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.442575093.00000000042EF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: IN00043Q1098157INBOM_PDF.exe PID: 6352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5364, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1Input Capture1Security Software Discovery111Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsTimestomp1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery113Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      IN00043Q1098157INBOM_PDF.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      27.2.aspnet_compiler.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/40%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.fontbureau.comiona0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.galapagosdesign.com/n0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Q0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/waC0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://go.micro0%URL Reputationsafe
                      http://www.fontbureau.comituF-0%Avira URL Cloudsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://www.fontbureau.comX0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/C0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/oi0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fontbureau.comd0%URL Reputationsafe
                      http://www.fontbureau.come.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/vnoJ0%Avira URL Cloudsafe
                      http://james.newtonking.com/projects/json0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.fontbureau.comt0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.pngH0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/n0%URL Reputationsafe
                      http://www.fontbureau.coma40%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/Y0-0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
                      http://www.fontbureau.comituFQ0%Avira URL Cloudsafe
                      http://www.fontbureau.comalic0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/oH0%Avira URL Cloudsafe
                      http://ISXesm.com0%Avira URL Cloudsafe
                      http://www.fontbureau.comitud0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1aspnet_compiler.exe, 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                            		high
                            https://github.com/Pester/PesterHpowershell.exe, 00000004.00000002.346116296.00000000048B2000.00000004.00000001.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.tiro.comIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.newtonsoft.com/jsonIN00043Q1098157INBOM_PDF.exefalse
                                		high
                                http://www.fontbureau.com/designersIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/jp/4IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.goodfont.co.krIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersa6IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.440850247.0000000001867000.00000004.00000040.sdmpfalse
                                    		high
                                    http://www.fontbureau.comionaIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.437566275.0000000006050000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cTheIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/nIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.226033077.0000000006057000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/4IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/2IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.220902698.0000000006056000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp//IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.220902698.0000000006056000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contoso.com/powershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.galapagosdesign.com/DPleaseIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Y0IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fonts.comIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.345882415.0000000004771000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sakkal.comIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.441498436.00000000031FD000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000001B.00000002.481444903.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.437566275.0000000006050000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.galapagosdesign.com/IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.226033077.0000000006057000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://DynDns.comDynDNSaspnet_compiler.exe, 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.350935626.0000000007773000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/QIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/waCIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haaspnet_compiler.exe, 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.350935626.0000000007773000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://go.micropowershell.exe, 00000004.00000002.349199494.0000000004FEB000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comituF-IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224277676.0000000006056000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlHpowershell.exe, 00000004.00000002.346116296.00000000048B2000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://contoso.com/Iconpowershell.exe, 00000004.00000002.349654412.00000000057D2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comXIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224277676.0000000006056000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/CIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/oiIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/jp/IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comdIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224783246.0000000006056000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.come.comIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.437566275.0000000006050000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/vnoJIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.350935626.0000000007773000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://james.newtonking.com/projects/jsonIN00043Q1098157INBOM_PDF.exefalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.carterandcone.comlIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlNIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cnIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.219288579.0000000006057000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/frere-jones.htmlIN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers/cabarga.htmlIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224188494.0000000006096000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.comtIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224783246.0000000006056000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://pesterbdd.com/images/Pester.pngHpowershell.exe, 00000004.00000002.346116296.00000000048B2000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/nIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.newtonsoft.com/jsonschemaIN00043Q1098157INBOM_PDF.exefalse
                                                              		high
                                                              http://www.fontbureau.coma4IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224277676.0000000006056000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/Y0-IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221601834.0000000006056000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/kIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers8IN00043Q1098157INBOM_PDF.exe, 00000000.00000002.444190384.0000000007262000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.comituFQIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224783246.0000000006056000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.nuget.org/packages/Newtonsoft.Json.BsonIN00043Q1098157INBOM_PDF.exefalse
                                                                  		high
                                                                  http://www.fontbureau.com/designers/cabarga.html:3IN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224137907.0000000006096000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.fontbureau.comalicIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224277676.0000000006056000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/oHIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.221278628.0000000006056000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://ISXesm.comaspnet_compiler.exe, 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.fontbureau.comitudIN00043Q1098157INBOM_PDF.exe, 00000000.00000003.224783246.0000000006056000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown

                                                                    Contacted IPs

                                                                    No contacted IP infos

                                                                    General Information

                                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                                    Analysis ID:483913
                                                                    Start date:15.09.2021
                                                                    Start time:16:11:31
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 10m 31s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Sample file name:IN00043Q1098157INBOM_PDF.scr (renamed file extension from scr to exe)
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:29
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Detection:MAL
                                                                    Classification:mal80.troj.evad.winEXE@6/7@0/0
                                                                    EGA Information:Failed
                                                                    HDC Information:
                                                                    • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                                                    • Quality average: 61.4%
                                                                    • Quality standard deviation: 22.4%
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 57
                                                                    • Number of non-executed functions: 4
                                                                    Cookbook Comments:
                                                                    • Adjust boot time
                                                                    • Enable AMSI
                                                                    Warnings:
                                                                    Show All
                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/483913/sample/IN00043Q1098157INBOM_PDF.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    16:12:56API Interceptor27x Sleep call for process: powershell.exe modified
                                                                    16:14:22API Interceptor63x Sleep call for process: aspnet_compiler.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    No context

                                                                    Domains

                                                                    No context

                                                                    ASN

                                                                    No context

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    C:\Users\user\AppData\Local\Temp\aspnet_compiler.exeHSBC Payment Advice_Docx.exeGet hashmaliciousBrowse
                                                                      HSBC Payment Advice_Docx.exeGet hashmaliciousBrowse
                                                                        Shipping Doc_09092021_Docx.exeGet hashmaliciousBrowse
                                                                          Shipping Doc_09092021_Docx.exeGet hashmaliciousBrowse
                                                                            usfive_20210827-130539.exeGet hashmaliciousBrowse
                                                                              f00tY8HNIM.exeGet hashmaliciousBrowse

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IN00043Q1098157INBOM_PDF.exe.log
                                                                                Process:C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1119
                                                                                Entropy (8bit):5.356708753875314
                                                                                Encrypted:false
                                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                                                MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                                                SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                                                SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                                                SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                                                Malicious:true
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):5829
                                                                                Entropy (8bit):4.8968676994158
                                                                                Encrypted:false
                                                                                SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                                                                                MD5:36DE9155D6C265A1DE62A448F3B5B66E
                                                                                SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                                                                                SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                                                                                SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):17204
                                                                                Entropy (8bit):5.560276111592368
                                                                                Encrypted:false
                                                                                SSDEEP:384:8t9/k03Y+V8RL75aCBjSBKnskt7Y9gbpkcQp7TDqYKy:wYB975H4KskFSRVDjd
                                                                                MD5:A19B43840D689BA05B91B5524BE62CE3
                                                                                SHA1:810E693A98FA202128C82EF363788F805C0A4FD8
                                                                                SHA-256:54EA1EDA2F522B6B98DF5AA260FEC6B3824C4B757B1BA0D5B480205E4DF67A3A
                                                                                SHA-512:BF39C5FB3D782AD03BF4B099B8EF045368806FB79C777D3B1A2B94CA2CD4D6D0FD2A258F6F67CB212E688E7189F059CAF12AB9239C8315F94A85CB5E2E9486D1
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: @...e...................................+............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)S.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgnvkgj4.fxf.psm1
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview: 1
                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqkugb4c.xqt.ps1
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview: 1
                                                                                C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe
                                                                                Process:C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe
                                                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):55400
                                                                                Entropy (8bit):6.093991957600089
                                                                                Encrypted:false
                                                                                SSDEEP:768:kF9E8FLLs2Zokf85dImTg6Iq88nqf7PpjU/VifNL45bO:kfE6EkfOdImT/9KU/Vot45bO
                                                                                MD5:17CC69238395DF61AAF483BCEF02E7C9
                                                                                SHA1:B164C5DC95EBCC9ECB305E43789B57E7895781DE
                                                                                SHA-256:A1661DB1B74B876A7E789FC6EBB4E34BEAFA2B48A08E13FD18927FBECC9D2AC4
                                                                                SHA-512:308CC2AB766D2233E5F5F16EF0751C525BA3017C8A4D5177E2FF1A23CD12BAD4F43DADF01139CA163951916145C2F9465A9FA50D50A365AB86942FE55B916087
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Joe Sandbox View:
                                                                                • Filename: HSBC Payment Advice_Docx.exe, Detection: malicious, Browse
                                                                                • Filename: HSBC Payment Advice_Docx.exe, Detection: malicious, Browse
                                                                                • Filename: Shipping Doc_09092021_Docx.exe, Detection: malicious, Browse
                                                                                • Filename: Shipping Doc_09092021_Docx.exe, Detection: malicious, Browse
                                                                                • Filename: usfive_20210827-130539.exe, Detection: malicious, Browse
                                                                                • Filename: f00tY8HNIM.exe, Detection: malicious, Browse
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0................. ........@.. ....................................`.................................t...O.......................h>..........<................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......t3..pc.............X...<........................................0..........s.....Y.....(.....Z.....&..(......+....(....o......r...p(....-..r...p(....,.....X....i2..-;(....(..........%.r!..p.(....(....((...(....(....(....( .....-.(7...(.....*.(....-..*.~S...-.~R....S...s!.....~W...o"....~U...o#....~V...o$....o%...~Y...o&...~S...~Q...~T....s'....P...~P...sE...o(............~W....@_,s.....()...r7..p.$(*........o+..........o,....2....... ....37(....(8.........%...o-....
                                                                                C:\Users\user\Documents\20210915\PowerShell_transcript.358075.FUDbQnjY.20210915161236.txt
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):939
                                                                                Entropy (8bit):5.025468145438514
                                                                                Encrypted:false
                                                                                SSDEEP:24:BxSAGCxvBnOx2DOXUWM1W5HjeTKKjX4CIym1ZJXqnxSAZo:BZ9vhOoOZ5qDYB1ZWZZo
                                                                                MD5:5F60D560F07A32B8050BB12CC13DBE51
                                                                                SHA1:005A9FC94FBF972E7BFFC47764C5336748FF13ED
                                                                                SHA-256:C44DB9F1B63F63AB583E471EC83BD5D3D6071E333B5725E3CF1AFB640460AE8E
                                                                                SHA-512:B61617DF3805FC07CB428C0C2EDBC1A1487F78CB29A03C242A14E4FD172F77DC12E8A741EF364C43EC1729CA91630093BCB63A26744B764C3A6B25FF47FBF9CB
                                                                                Malicious:false
                                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20210915161252..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 20..Process ID: 6652..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210915161252..**********************..PS>Start-Sleep -s 20..**********************..Command start time: 20210915161645..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20210915161645..**********************..

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):7.059045468414658
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                File name:IN00043Q1098157INBOM_PDF.exe
                                                                                File size:811520
                                                                                MD5:c2ce5a6ac6a3f64917af0f6ea60c04e5
                                                                                SHA1:4f04822fbc2e6c2cbcd529ffbf13fe0e69d0ef8b
                                                                                SHA256:4220609cfa7ee56eb45421d8c08257f828c06bb8ebf0bc602cff01609107c6c4
                                                                                SHA512:08c815bfc1edfed6d29184269768f606ce4be9eb9965aa2af30372640e80b0440f95d4b4ba8bdea0d23730b7edeb12cdb8b680d67b4a9c6eecac2c1aaf5327c9
                                                                                SSDEEP:12288://gecNU2zqX6lUB2Ake2BHkUzFtymEranppw9PWs1kQYZ+:QDNgWUB2AkeUDzFtrErUYugYM
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ZO................0......N.......1... ...@....@.. ....................................@................................

                                                                                File Icon

                                                                                Icon Hash:c88cc8c8882c54f8

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x4c31a6
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                Time Stamp:0xBA8C4F5A [Wed Mar 6 01:05:30 2069 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:v4.0.30319
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add dword ptr [edx], eax
                                                                                add eax, dword ptr [00080706h+eax]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xc31540x4f.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x4ac0.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xc31380x1c.text
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000xc11b40xc1200False0.624974716828data7.06744291098IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0xc40000x4ac00x4c00False0.285670230263data5.10667622622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0xca0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_ICON0xc41000x4428dBase IV DBT of \200.DBF, blocks size 0, block length 17408, next free block index 40, next free block 0, next used block 0
                                                                                RT_GROUP_ICON0xc85380x14data
                                                                                RT_VERSION0xc855c0x362data
                                                                                RT_MANIFEST0xc88d00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Version Infos

                                                                                DescriptionData
                                                                                Translation0x0000 0x04b0
                                                                                LegalCopyrightDreamsecurity Co., Ltd.
                                                                                Assembly Version1.0.0.14
                                                                                InternalNameSSGG1.exe
                                                                                FileVersion1.0.0.14
                                                                                CompanyNameDreamsecurity
                                                                                LegalTrademarks
                                                                                CommentsMagicLine4NX
                                                                                ProductNameMagicLine4NX
                                                                                ProductVersion1.0.0.14
                                                                                FileDescriptionMagicLine4NX
                                                                                OriginalFilenameSSGG1.exe

                                                                                Network Behavior

                                                                                No network behavior found

                                                                                Code Manipulations

                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: IN00043Q1098157INBOM_PDF.exe PID: 6352 Parent PID: 6072

                                                                                General

                                                                                Start time:16:12:24
                                                                                Start date:15/09/2021
                                                                                Path:C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\Desktop\IN00043Q1098157INBOM_PDF.exe'
                                                                                Imagebase:0xd50000
                                                                                File size:811520 bytes
                                                                                MD5 hash:C2CE5A6AC6A3F64917AF0F6EA60C04E5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.441498436.00000000031FD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.441498436.00000000031FD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.442771360.00000000043F3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.442771360.00000000043F3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.442693182.0000000004363000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.442693182.0000000004363000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.442575093.00000000042EF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.442575093.00000000042EF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                Reputation:low

                                                                                Chronological Activities

                                                                                Analysis Process: powershell.exe PID: 6652 Parent PID: 6352

                                                                                General

                                                                                Start time:16:12:33
                                                                                Start date:15/09/2021
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20
                                                                                Imagebase:0xad0000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: conhost.exe PID: 6676 Parent PID: 6652

                                                                                General

                                                                                Start time:16:12:34
                                                                                Start date:15/09/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: aspnet_compiler.exe PID: 5364 Parent PID: 6352

                                                                                General

                                                                                Start time:16:14:08
                                                                                Start date:15/09/2021
                                                                                Path:C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\AppData\Local\Temp\aspnet_compiler.exe
                                                                                Imagebase:0xb10000
                                                                                File size:55400 bytes
                                                                                MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000002.486860969.0000000002ED1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.481444903.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001B.00000002.481444903.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                Antivirus matches:
                                                                                • Detection: 3%, Metadefender, Browse
                                                                                • Detection: 0%, ReversingLabs
                                                                                Reputation:moderate

                                                                                Chronological Activities

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >

                                                                                  Analysis Process: IN00043Q1098157INBOM_PDF.exe PID: 6352 Parent PID: 6072 IN00043Q1098157INBOM_PDF.exeCOMMON

                                                                                  Executed Functions

                                                                                  Function 0162B680, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32 ref: 0162B6F0
                                                                                  • GetCurrentThread.KERNEL32 ref: 0162B72D
                                                                                  • GetCurrentProcess.KERNEL32 ref: 0162B76A
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0162B7C3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Current$ProcessThread
                                                                                  • String ID:
                                                                                  • API String ID: 2063062207-0
                                                                                  • Opcode ID: 8f1a8530edaeb6595689e3673ad63f51ebfc29d70fbc797b2f27e9b5c19c0791
                                                                                  • Instruction ID: cff8e2f7441414d476205e3e77d8e383f960790abc7475e7a9fc87e293001bd4
                                                                                  • Opcode Fuzzy Hash: 8f1a8530edaeb6595689e3673ad63f51ebfc29d70fbc797b2f27e9b5c19c0791
                                                                                  • Instruction Fuzzy Hash: B15145B09006498FDB54CFAAD988BEEBFF4EB48314F28845AE419A7350DB746844CF65
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0162B690, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32 ref: 0162B6F0
                                                                                  • GetCurrentThread.KERNEL32 ref: 0162B72D
                                                                                  • GetCurrentProcess.KERNEL32 ref: 0162B76A
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0162B7C3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Current$ProcessThread
                                                                                  • String ID:
                                                                                  • API String ID: 2063062207-0
                                                                                  • Opcode ID: 6e04918afd10879f1f5edb2dcb60c25f78b66e3d8092f3e2c9be8c5d68a79669
                                                                                  • Instruction ID: f3c21f2f74fac1976b24c888d7010e0257d8a03f4e058fb37a50f9cedbafebaa
                                                                                  • Opcode Fuzzy Hash: 6e04918afd10879f1f5edb2dcb60c25f78b66e3d8092f3e2c9be8c5d68a79669
                                                                                  • Instruction Fuzzy Hash: FF5164B09006498FDB54CFAAD988BEEBBF4FF48314F28841AE419A7350CB745840CF69
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01629690, Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 016298D6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: ba34b5914768e7fd3b2475d26ff907e429352ddf9dc205cb735f9c12afc5b9e3
                                                                                  • Instruction ID: 840a53a6406b0fa6b9bc2d5e1b77a3d4483266304811b580334889577d24eae7
                                                                                  • Opcode Fuzzy Hash: ba34b5914768e7fd3b2475d26ff907e429352ddf9dc205cb735f9c12afc5b9e3
                                                                                  • Instruction Fuzzy Hash: 6B711270A00B258FD724DF69D5507AABBF5BB88308F008A2ED44AD7B50D775A809CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0162FCEC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0162FE0A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: eb072d73245ea60f31540ba425e24e1dd04bd19b704d2d9cda107c8d83b460fc
                                                                                  • Instruction ID: a5ce7139000c4bd083503b3f39f9d8e54e6a368d67e789b61247e97cc6f2f92c
                                                                                  • Opcode Fuzzy Hash: eb072d73245ea60f31540ba425e24e1dd04bd19b704d2d9cda107c8d83b460fc
                                                                                  • Instruction Fuzzy Hash: 9451DFB1D00219AFDB14CF99D884ADEBFB5FF88314F24852AE419AB210D7719945CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0162FCF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0162FE0A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: 402f19141f9236625e20cdd8883390dd547811f12f43d65c7d4b19d4f3a0b44a
                                                                                  • Instruction ID: a8552000aa81725a41600f7d5f6667f82277de6a37de5726d64769ccb690702d
                                                                                  • Opcode Fuzzy Hash: 402f19141f9236625e20cdd8883390dd547811f12f43d65c7d4b19d4f3a0b44a
                                                                                  • Instruction Fuzzy Hash: 5841D0B1D00319EFDB14CF9AC884ADEBFB5BF48314F24812AE419AB210D7719845CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0162537D, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 01625439
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: 5b415c25a500f4eab24b0972ecdde5ca6cd2de386bf2abc446525e63b9f8c19f
                                                                                  • Instruction ID: 7da612df0d1137705ea96326b6b699a335a3866f4fc483a641d2c67918c5dca8
                                                                                  • Opcode Fuzzy Hash: 5b415c25a500f4eab24b0972ecdde5ca6cd2de386bf2abc446525e63b9f8c19f
                                                                                  • Instruction Fuzzy Hash: EE41F3B1D00628CBDB24CFA9C885BDEFBB5BF48314F24856AD409AB251DB715946CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01623DF8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 01625439
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: 725a211eb03b9734613fe54d5e563296960a0074d1268a893f20e7c7bec81874
                                                                                  • Instruction ID: 0e731f2c0e8279ef8d79d7b722c706c7927c90e9114dff81f211ff8c9386afa4
                                                                                  • Opcode Fuzzy Hash: 725a211eb03b9734613fe54d5e563296960a0074d1268a893f20e7c7bec81874
                                                                                  • Instruction Fuzzy Hash: DC41E0B0D00628CBDB24CFA9C884BDEFBB5BF48314F24856AD409AB251DB716946CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01627D17, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemMetrics.USER32(0000004B), ref: 01627DFD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: MetricsSystem
                                                                                  • String ID:
                                                                                  • API String ID: 4116985748-0
                                                                                  • Opcode ID: eda2fe9fa1a051dac528937648d74a224f70ec7aec1a280bef47b42901874ad3
                                                                                  • Instruction ID: da1219330d4b4aa3772a72eaf28d8a67025da6aaf0ad5629fea4b3099c13830a
                                                                                  • Opcode Fuzzy Hash: eda2fe9fa1a051dac528937648d74a224f70ec7aec1a280bef47b42901874ad3
                                                                                  • Instruction Fuzzy Hash: FE315376901B948FEB21CFA9DC057EA7FF4EB25310F08445ED485A7382C7388840CBA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0162B8B0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0162B93F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 1f3b508a73dbedd4ec33eea564401f7ec5cc6cd002c08123dc65c22ce5ebdae4
                                                                                  • Instruction ID: 9d006f008f7e84c1bf0d0cce40c1a80fbbfc5cd0752b1403c9e761c657cbbbfe
                                                                                  • Opcode Fuzzy Hash: 1f3b508a73dbedd4ec33eea564401f7ec5cc6cd002c08123dc65c22ce5ebdae4
                                                                                  • Instruction Fuzzy Hash: 2A21E2B5D002599FDB10CFA9D984BEEBBF8EB09324F14841AE955B3310D378A944CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0162B8B8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0162B93F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 62f694c96582082dc09074622e87f4eeacdec71c9e4d99d05666b9f6faea409a
                                                                                  • Instruction ID: 8e97ea34e5409fd908708f4d76ed661534d774d57bdac39df44badcff2dd3eda
                                                                                  • Opcode Fuzzy Hash: 62f694c96582082dc09074622e87f4eeacdec71c9e4d99d05666b9f6faea409a
                                                                                  • Instruction Fuzzy Hash: D421E2B5D002189FDB10CFAAD884BDEBBF8EB48324F14841AE954A3310D374A944CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 016292A8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01629951,00000800,00000000,00000000), ref: 01629B62
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: cbb78f70d4c4cdea927e8fc9dcf2b585b03c56ed0ce62843357f1fb071492675
                                                                                  • Instruction ID: b86dee4de76f3cdc80f94256e2150fda72fbef7d848ca41a3b417df390af9ff0
                                                                                  • Opcode Fuzzy Hash: cbb78f70d4c4cdea927e8fc9dcf2b585b03c56ed0ce62843357f1fb071492675
                                                                                  • Instruction Fuzzy Hash: 551106B29006598FDB10CF9AC884BEEFBF4AB88324F14842AE915A7200C775A545CFA4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01629AF2, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01629951,00000800,00000000,00000000), ref: 01629B62
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 9abb6da2b326478cca426dec8b2c12e8c2191d8579b730d8e6a203248c0820b9
                                                                                  • Instruction ID: 59203a16f30b005457c642234020a9213e23e53449ae5bd643a6b276b3e5b719
                                                                                  • Opcode Fuzzy Hash: 9abb6da2b326478cca426dec8b2c12e8c2191d8579b730d8e6a203248c0820b9
                                                                                  • Instruction Fuzzy Hash: B91114B29002199FDB10CF9AC884BDFFBF8AB88324F14852AE515A7200C775A545CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01629870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 016298D6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: 46c72ba7fa2e02a6343a1fdb6de3372e8f3978e52c371f5517496c5bf4ea9820
                                                                                  • Instruction ID: 9969d1f3301544e1082d22f34e07294da5b3541cc274990453bc1a14d8ceaee1
                                                                                  • Opcode Fuzzy Hash: 46c72ba7fa2e02a6343a1fdb6de3372e8f3978e52c371f5517496c5bf4ea9820
                                                                                  • Instruction Fuzzy Hash: FB110FB2D006598FDB10CF9AC844BDEFBF8EB88324F14842AD519A7300C3B8A545CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0162FF3A, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowLongW.USER32(?,?,?), ref: 0162FF9D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: LongWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1378638983-0
                                                                                  • Opcode ID: d1751374e46e4590f4ca31b353c0776e88cf3624bfc95a8cc297abe13e79c12e
                                                                                  • Instruction ID: 91f61d67d7329a4b3a49d52c788a96fc179a1ac485aa5f88a84ff68bcc5e892a
                                                                                  • Opcode Fuzzy Hash: d1751374e46e4590f4ca31b353c0776e88cf3624bfc95a8cc297abe13e79c12e
                                                                                  • Instruction Fuzzy Hash: C21115B59002099FDB10CF9AD989BDFFBF8EB48324F14841AE915A3340C374A944CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0162FF40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowLongW.USER32(?,?,?), ref: 0162FF9D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: LongWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1378638983-0
                                                                                  • Opcode ID: e51ef4dcb9a1cf17ad865b1f85c3ed5e5a24b282a82fd9669325cf3836bb492f
                                                                                  • Instruction ID: 2376d56cebfce55f83dbe3f2bdedc071abedc5e491d2bce8bd5ed2b4bc45f43b
                                                                                  • Opcode Fuzzy Hash: e51ef4dcb9a1cf17ad865b1f85c3ed5e5a24b282a82fd9669325cf3836bb492f
                                                                                  • Instruction Fuzzy Hash: 121112B59002088FDB10CF9AD988BDFFBF8EB48324F20841AE915A3340C374A944CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 013CD4C4, Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.438523300.00000000013CD000.00000040.00000001.sdmp, Offset: 013CD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 574fd5e4d92a0df00288702cefd0e04317c44f18a6bba598535c8d35cbd6b6b6
                                                                                  • Instruction ID: ae6e84697fc24cf149b3d3388a1293a2a8852be25c7bc50d40a62449f7f2026d
                                                                                  • Opcode Fuzzy Hash: 574fd5e4d92a0df00288702cefd0e04317c44f18a6bba598535c8d35cbd6b6b6
                                                                                  • Instruction Fuzzy Hash: B921F172504244DFDB01DF94D9C0B26BF65FB98A2CF24857DE9050B646C336D856CBE2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 013DD01C, Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.438589255.00000000013DD000.00000040.00000001.sdmp, Offset: 013DD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 231db42e7130b0497c4684144eb1a04fe22caae4246e4d22d3496097d9e31819
                                                                                  • Instruction ID: b920d5aa0ee1822830351b809f2f81080966f8f1323904abbbdce2570ef4f8df
                                                                                  • Opcode Fuzzy Hash: 231db42e7130b0497c4684144eb1a04fe22caae4246e4d22d3496097d9e31819
                                                                                  • Instruction Fuzzy Hash: 8F212572504344DFCB11CF64E8C0B16BB65FB88358F24C96DE80A0B686C336D806CA61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 013DD2BC, Relevance: .1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.438589255.00000000013DD000.00000040.00000001.sdmp, Offset: 013DD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d2d64f2fc2a4047dc6962d51e655070bd349a62567f2ae0534b645a139f02b85
                                                                                  • Instruction ID: a9dd4e6c06fa7578e85352ae00491761e58c579318fa7bb01a98c1a3732537cd
                                                                                  • Opcode Fuzzy Hash: d2d64f2fc2a4047dc6962d51e655070bd349a62567f2ae0534b645a139f02b85
                                                                                  • Instruction Fuzzy Hash: 252127B3504344DFD701CF94E9C0B2ABBA9FB84728F24C56DD8494B685CB36E806C6A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 013DD006, Relevance: .1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.438589255.00000000013DD000.00000040.00000001.sdmp, Offset: 013DD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ac227aaaeb078e96a5b6319f3e69d46acaafe1b55a2ba92179337a8181740dd9
                                                                                  • Instruction ID: 7921f2fd5d6112e888b2fe4d10bd24f02084c0115d4aebdaf54534310b10dc4a
                                                                                  • Opcode Fuzzy Hash: ac227aaaeb078e96a5b6319f3e69d46acaafe1b55a2ba92179337a8181740dd9
                                                                                  • Instruction Fuzzy Hash: 0721A4765093808FCB13CF24D994715BF71EB85218F28C5DAD8498B697C33AD44ACB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 013CD4BF, Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.438523300.00000000013CD000.00000040.00000001.sdmp, Offset: 013CD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e8327e2e64201f7ff5ec3366efc7fa298251661c1b1bcdfba362d642d30d07f4
                                                                                  • Instruction ID: febda3a7a988a72097a43687b534f1111267e296c36d4f4c8bcb5ead69f31d80
                                                                                  • Opcode Fuzzy Hash: e8327e2e64201f7ff5ec3366efc7fa298251661c1b1bcdfba362d642d30d07f4
                                                                                  • Instruction Fuzzy Hash: 9D11D376404280DFCB12CF54D9C4B16BF71FB94728F24C6ADE8450B656C336D856CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 013DD2B7, Relevance: .1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.438589255.00000000013DD000.00000040.00000001.sdmp, Offset: 013DD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 27342a477d13dada82fad3185ad002843cb039bd020675cfdbd7a2ef1b150de1
                                                                                  • Instruction ID: c9ccf5423dd353f530e3bb55b8687e8a637d115e5df71d5085535bfcbc6a9565
                                                                                  • Opcode Fuzzy Hash: 27342a477d13dada82fad3185ad002843cb039bd020675cfdbd7a2ef1b150de1
                                                                                  • Instruction Fuzzy Hash: 6C11A376508684DFDB12CF14E6C4719FF71FB85328F28C6AAD8494B646C33AD44ACB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Function 00D52050, Relevance: 1.6, Instructions: 1551COMMONCrypto
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 72%
                                                                                  			E00D52050(intOrPtr* __eax, void* __ebx, void* __ecx, signed int* __edx, void* __edi, intOrPtr* __esi, void* __fp0) {
				signed char _t499;
				intOrPtr* _t500;
				signed char _t502;
				intOrPtr* _t503;
				signed char _t505;
				intOrPtr* _t506;
				signed char _t508;
				intOrPtr* _t509;
				signed char _t511;
				intOrPtr* _t512;
				signed char _t514;
				signed char _t515;
				intOrPtr* _t693;
				void* _t738;
				void* _t739;
				void* _t740;
				void* _t741;
				void* _t742;
				void* _t824;
				signed int* _t825;
				void* _t877;
				intOrPtr* _t881;
				void* _t892;

				_t881 = __esi;
				_push(ds);
				 *__eax =  *__eax + __eax;
				_t499 = __eax + 0x0000002a &  *__edx;
				 *_t499 =  *_t499 + _t499;
				_t500 = _t499 + 0x2a;
				_push(ds);
				 *_t500 =  *_t500 + _t500;
				_t502 = _t500 + 0x0000002a &  *__edx;
				 *_t502 =  *_t502 + _t502;
				_t503 = _t502 + 0x2a;
				_push(ds);
				_t738 = __ecx +  *_t503;
				asm("adc al, 0x0");
				 *__edx =  *__edx + _t738;
				 *_t503 =  *_t503 + _t503;
				_t505 = _t503 + 0x0000002a &  *__edx;
				 *_t505 =  *_t505 + _t505;
				_t506 = _t505 + 0x2a;
				_push(ds);
				_t739 = _t738 +  *_t506;
				asm("adc al, 0x0");
				 *__edx =  *__edx + _t739;
				 *_t506 =  *_t506 + _t506;
				_t508 = _t506 + 0x0000002a &  *__edx;
				 *_t508 =  *_t508 + _t508;
				_t509 = _t508 + 0x2a;
				_push(ds);
				 *_t509 =  *_t509 + _t509;
				_t511 = _t509 + 0x0000002a &  *__edx;
				 *_t511 =  *_t511 + _t511;
				_t512 = _t511 + 0x2a;
				_push(ds);
				_t740 = _t739 +  *_t512;
				asm("adc al, 0x0");
				 *__edx =  *__edx + _t740;
				_t693 = __ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi + 3)) -  *__esi +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi + 3)) -  *__esi + 4)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi + 3)) -  *__esi +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi + 3)) -  *__esi + 4)) + 5)) -  *__esi +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi + 3)) -  *__esi +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi + 3)) -  *__esi + 4)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi + 3)) -  *__esi +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) -  *__esi + 3)) -  *__esi + 4)) + 5)) -  *__esi + 6));
				 *_t512 =  *_t512 + _t512;
				_t514 = _t512 + 0x0000002a &  *__edx;
				_t877 = __edi +  *((intOrPtr*)(_t892 + 1)) +  *((intOrPtr*)(_t892 + 2)) +  *((intOrPtr*)(_t892 + 3)) +  *((intOrPtr*)(_t892 + 4)) +  *((intOrPtr*)(_t892 + 5)) +  *((intOrPtr*)(_t892 + 6));
				 *_t514 =  *_t514 + _t514;
				_t515 = _t514 + 0x2a;
				_push(ds);
				_t741 = _t740 +  *_t515;
				asm("adc al, 0x0");
				 *__edx =  *__edx + _t741;
				_t824 = __edx -  *__esi;
				_t742 = _t741 +  *_t515;
				asm("adc eax, 0x20a0000");
				 *((intOrPtr*)(_t515 + _t515)) =  *((intOrPtr*)(_t515 + _t515)) - _t824;
				 *__esi =  *__esi + _t515;
				_t825 = _t824 -  *_t693;
				 *_t825 =  *_t825 ^ _t515;
				 *0x1000000 =  *0x1000000 + _t825;
				 *_t515 =  *_t515 + _t515;
				asm("adc [edx+ecx], edx");
				if( *_t515 >= 0) {
					 *_t515 =  *_t515 + _t515;
				}
				 *((intOrPtr*)(_t515 + 0x25)) =  *((intOrPtr*)(_t515 + 0x25)) + _t825;
			}


























                                                                                  0x00d52050
                                                                                  0x00d52050
                                                                                  0x00d52054
                                                                                  0x00d52058
                                                                                  0x00d5205d
                                                                                  0x00d5205f
                                                                                  0x00d52061
                                                                                  0x00d52065
                                                                                  0x00d52069
                                                                                  0x00d5206e
                                                                                  0x00d52070
                                                                                  0x00d52072
                                                                                  0x00d52073
                                                                                  0x00d52075
                                                                                  0x00d52077
                                                                                  0x00d5207e
                                                                                  0x00d52082
                                                                                  0x00d52087
                                                                                  0x00d52089
                                                                                  0x00d5208b
                                                                                  0x00d5208c
                                                                                  0x00d5208e
                                                                                  0x00d52090
                                                                                  0x00d52097
                                                                                  0x00d5209b
                                                                                  0x00d520a0
                                                                                  0x00d520a2
                                                                                  0x00d520a4
                                                                                  0x00d520a8
                                                                                  0x00d520ac
                                                                                  0x00d520b1
                                                                                  0x00d520b3
                                                                                  0x00d520b5
                                                                                  0x00d520b6
                                                                                  0x00d520b8
                                                                                  0x00d520ba
                                                                                  0x00d520be
                                                                                  0x00d520c1
                                                                                  0x00d520c5
                                                                                  0x00d520c7
                                                                                  0x00d520ca
                                                                                  0x00d520cc
                                                                                  0x00d520ce
                                                                                  0x00d520cf
                                                                                  0x00d520d1
                                                                                  0x00d520d3
                                                                                  0x00d520d5
                                                                                  0x00d520d7
                                                                                  0x00d520d9
                                                                                  0x00d520de
                                                                                  0x00d520e1
                                                                                  0x00d520e3
                                                                                  0x00d520e5
                                                                                  0x00d520e7
                                                                                  0x00d520ed
                                                                                  0x00d520ef
                                                                                  0x00d520f2
                                                                                  0x00d520f4
                                                                                  0x00d520f4
                                                                                  0x00d520f5

                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.437770335.0000000000D52000.00000002.00020000.sdmp, Offset: 00D50000, based on PE: true
                                                                                  • Associated: 00000000.00000002.437756095.0000000000D50000.00000002.00020000.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bba838ed899675e90da70bc82d6dcbf4f2bfa9b3c30db58bc149c6fd53d528a9
                                                                                  • Instruction ID: d51df6ea6e8b2dcf18d65492a4673c1fa4b3b1fee938a9248b946a9b371e1864
                                                                                  • Opcode Fuzzy Hash: bba838ed899675e90da70bc82d6dcbf4f2bfa9b3c30db58bc149c6fd53d528a9
                                                                                  • Instruction Fuzzy Hash: A3D2346144E3C24FCB038B749CB56D2BFB1AE1721471E89DBC8C18F4A3E2195A5ED762
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0162E578, Relevance: .3, Instructions: 315COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: caebdea28f7540afccd0e05c54a62c1d0052932c7f07bae698128603ae71e9a2
                                                                                  • Instruction ID: 231e482f2122eb97bcc6560be07f8c33fe75f064d18e39a6138d764015be52e4
                                                                                  • Opcode Fuzzy Hash: caebdea28f7540afccd0e05c54a62c1d0052932c7f07bae698128603ae71e9a2
                                                                                  • Instruction Fuzzy Hash: 6412E6F94117468BE330CF65ED981893BA1F741328F906309DA632FAD9D7B411AACF45
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0162C134, Relevance: .3, Instructions: 265COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: beeef1faae6e4d0ad32e70c35ce67faec9e3222be62e0ccc7d3766d52dc6422f
                                                                                  • Instruction ID: 1c5fdf0cc57250531ec238101118a1f7df827727cb51a57467a378f05d154a6b
                                                                                  • Opcode Fuzzy Hash: beeef1faae6e4d0ad32e70c35ce67faec9e3222be62e0ccc7d3766d52dc6422f
                                                                                  • Instruction Fuzzy Hash: 72A17E36E0062A8FCF15DFA9CC445DEBBB2FF85300B15856AE905AB261DB71E915CF80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0162E568, Relevance: .2, Instructions: 220COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.439997838.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f423326427092e06dfc9edc8865b24d41bad5cf5095cb231cd2c26815f46a088
                                                                                  • Instruction ID: 9d8a9d3ef8c83037ed0b844eb281a67c2b1fe72a13dc45617d0108160aac052a
                                                                                  • Opcode Fuzzy Hash: f423326427092e06dfc9edc8865b24d41bad5cf5095cb231cd2c26815f46a088
                                                                                  • Instruction Fuzzy Hash: F0C16BB9811746CBD720CF65EC981893BB1FB85328F506309D6632F6D9D7B414AACF84
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Analysis Process: powershell.exe PID: 6652 Parent PID: 6352 powershell.exeCOMMON

                                                                                  Executed Functions

                                                                                  Function 07858DE0, Relevance: .7, Instructions: 710COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dbf87274b4d5429e1cfcff047abf0f98ae728b8bd080f6c378cc88555c4b1a6f
                                                                                  • Instruction ID: c94ad222263e997d2b0cb4da4ba5f04097ec4c3873cc27c60f5dbe367263a459
                                                                                  • Opcode Fuzzy Hash: dbf87274b4d5429e1cfcff047abf0f98ae728b8bd080f6c378cc88555c4b1a6f
                                                                                  • Instruction Fuzzy Hash: CD526A75A00219CFDB15DF64C850BAEB3B2EF89309F1085A9E909EB390DB35ED46CB51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04756A20, Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetConsoleCtrlHandler.KERNELBASE(00000000,?), ref: 04756B13
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.345843878.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ConsoleCtrlHandler
                                                                                  • String ID:
                                                                                  • API String ID: 1513847179-0
                                                                                  • Opcode ID: a1222f54df7a7328efa97288ecc6e3417e9503ae216b8e959bb02fa507eaa82f
                                                                                  • Instruction ID: f4c31345ec191fdc22853edfd2e7967c0eca3fc2de1a6739a715b730667aec05
                                                                                  • Opcode Fuzzy Hash: a1222f54df7a7328efa97288ecc6e3417e9503ae216b8e959bb02fa507eaa82f
                                                                                  • Instruction Fuzzy Hash: 5841BF759043498FCB11CFA9C8047EEBFF1EF89314F14846AD448EB291DB78A945CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04756A90, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetConsoleCtrlHandler.KERNELBASE(00000000,?), ref: 04756B13
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.345843878.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ConsoleCtrlHandler
                                                                                  • String ID:
                                                                                  • API String ID: 1513847179-0
                                                                                  • Opcode ID: 84005aba96c3b168895e156d07b3234ec3db448645ef8f95e0e3b2cb6d39b933
                                                                                  • Instruction ID: 7eb58941f81a74eb6d287478a0832c2ee96959dab8c97b0a7dc176de9c79d1a7
                                                                                  • Opcode Fuzzy Hash: 84005aba96c3b168895e156d07b3234ec3db448645ef8f95e0e3b2cb6d39b933
                                                                                  • Instruction Fuzzy Hash: 74211A75D002498FCB14CFAAC8447EEBBF5EF88324F148429D459A7390DB78A945CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0785FAB0, Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 0
                                                                                  • API String ID: 0-4108050209
                                                                                  • Opcode ID: c88908396f5ad931bf8a3580fcccae940b0f3fb99d42e9b469fbbf64e29072a2
                                                                                  • Instruction ID: 8faf069d736ad3dc1a2f4c210546b00a4aabc4d9bf8b1dd018d02c0a446c3d8e
                                                                                  • Opcode Fuzzy Hash: c88908396f5ad931bf8a3580fcccae940b0f3fb99d42e9b469fbbf64e29072a2
                                                                                  • Instruction Fuzzy Hash: 1121D374604308DFCB05DB74D4546AE7FB6EF8A355F104469EA01EB381EF799806CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07854CF7, Relevance: .2, Instructions: 178COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 82f2564a07d59869cad10c9fc57309d06a7477b3aad1852400653b7b82f330ea
                                                                                  • Instruction ID: b1ef45437d770a01503066269b0d4192270eaed6d48e0fd983aeb90b9bc9bd9f
                                                                                  • Opcode Fuzzy Hash: 82f2564a07d59869cad10c9fc57309d06a7477b3aad1852400653b7b82f330ea
                                                                                  • Instruction Fuzzy Hash: B351A435B001199BDF05DB94DC65BEEBBBBEB8D700F10842AE906A7385CF355D019B98
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07857959, Relevance: .2, Instructions: 171COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c9c6aef9622dbab26c95b37f3dc22741e1921ce2cc3b5ddd32ba053a1beef7b6
                                                                                  • Instruction ID: 9c093ff6005884ccf0adb4d9b50aebab290cfde99d39d3757e2fcc4e6b9be4e8
                                                                                  • Opcode Fuzzy Hash: c9c6aef9622dbab26c95b37f3dc22741e1921ce2cc3b5ddd32ba053a1beef7b6
                                                                                  • Instruction Fuzzy Hash: 25713A75A01119CFEB14DF64D854FAABBB6FF88305F0481A9E909EB290DB34AD41CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 078572F8, Relevance: .1, Instructions: 103COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6bd55a950cf49289875f10e5c1aea4b5afe4005c6b5fe15abca07afb6ce1c1e9
                                                                                  • Instruction ID: 65f280eceacac687a4c77cdbcc5d9101d27cafcf26f8ed74a004501596f2f93a
                                                                                  • Opcode Fuzzy Hash: 6bd55a950cf49289875f10e5c1aea4b5afe4005c6b5fe15abca07afb6ce1c1e9
                                                                                  • Instruction Fuzzy Hash: A6418D75A0020ADFDB15DBA0D450AAEB7B6EF95309F50D438E806BB381DF34A945CF61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 078567EF, Relevance: .1, Instructions: 100COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5eba93a820f4afc44abfdd13bfedc7d918f7729bf4327976b4ce09ba8c5be804
                                                                                  • Instruction ID: 6b8482fb8f3354ec1debb660f8cc587a39bc64dbb7fd699df4bba074d49621ba
                                                                                  • Opcode Fuzzy Hash: 5eba93a820f4afc44abfdd13bfedc7d918f7729bf4327976b4ce09ba8c5be804
                                                                                  • Instruction Fuzzy Hash: 6D31B2727002059FDB01DFA4D9545AE7BEAEB82315F50C87AD809DF292EF31AD058B91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00AAD01D, Relevance: .0, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.344513387.0000000000AAD000.00000040.00000001.sdmp, Offset: 00AAD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 23ef9d9f1527780d44bb5c5c8f278b9b84fa23291f3c72e36ca3cb8f08db5d94
                                                                                  • Instruction ID: 1db8a0622b8760fad47fe07801533b3f7d46e530749353d9b341ca88d98af665
                                                                                  • Opcode Fuzzy Hash: 23ef9d9f1527780d44bb5c5c8f278b9b84fa23291f3c72e36ca3cb8f08db5d94
                                                                                  • Instruction Fuzzy Hash: 5C01F7704083809AE7104F21CC84767FB98EF42768F18845AED871F6C2C3799845C6B1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07855702, Relevance: .0, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0080864521b8b6b6134b3480fdc7a2c9e2f678ff1e499ac69655e237bd9600ec
                                                                                  • Instruction ID: 866de44ffdab3efdee585f1f4fc1c6f06c8b7b3584fe949c9321a4987b216aec
                                                                                  • Opcode Fuzzy Hash: 0080864521b8b6b6134b3480fdc7a2c9e2f678ff1e499ac69655e237bd9600ec
                                                                                  • Instruction Fuzzy Hash: 4C014633104289BFCF529F94DC40CDE3F76FF8A324B09850AFA5486120C276C9A6EB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07854C98, Relevance: .0, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1b6e1ffafdb3aa1398c0a293e7b19c33b4e1da5ba0a9bdb6cc29eb42539e5cc6
                                                                                  • Instruction ID: 3650ed98b00906b497120108e1540263927105e39e31f244b801511e266c03e0
                                                                                  • Opcode Fuzzy Hash: 1b6e1ffafdb3aa1398c0a293e7b19c33b4e1da5ba0a9bdb6cc29eb42539e5cc6
                                                                                  • Instruction Fuzzy Hash: 66F02E3770025457C71495A898544DE77EAEBCD232B14047AD947D7740CFB9DC8BC790
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00AAD01C, Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.344513387.0000000000AAD000.00000040.00000001.sdmp, Offset: 00AAD000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2495aa9d77f71726897faedcb623fbc9b9c8d2634dd3b655fbcbc3335e1bf394
                                                                                  • Instruction ID: f607183a1091bc8b44c769419dc781b9510ac882afd184d1b997e3c8012d3385
                                                                                  • Opcode Fuzzy Hash: 2495aa9d77f71726897faedcb623fbc9b9c8d2634dd3b655fbcbc3335e1bf394
                                                                                  • Instruction Fuzzy Hash: 7FF0C271404384AEE7108F16CCC8B66FF98EF52734F18C05AED8A1F686C3799844CAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0785576A, Relevance: .0, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d47129fa4c37cfc882c7dba9cc3de16af90cde452327f6e89e39b489b177dc19
                                                                                  • Instruction ID: bef2dec2dd5eb2cf5b55997e9b04d0d8dc796e06f3a0817fb2f361dfd7d51f3b
                                                                                  • Opcode Fuzzy Hash: d47129fa4c37cfc882c7dba9cc3de16af90cde452327f6e89e39b489b177dc19
                                                                                  • Instruction Fuzzy Hash: 48F04432000249BFCF42AF90EC50CDA3FB6FF0A324B019942FE4486021C27AD962EB80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07855710, Relevance: .0, Instructions: 33COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 34224f1930ca58aabbe356f82f124378037197049f4ca6c0c4833c4f437a910a
                                                                                  • Instruction ID: 14cdd46550b440bff175381523e1ecec22f2a7eb1af1190859c12256fd78ebed
                                                                                  • Opcode Fuzzy Hash: 34224f1930ca58aabbe356f82f124378037197049f4ca6c0c4833c4f437a910a
                                                                                  • Instruction Fuzzy Hash: 38F0CA32100249BB8F529F85DD00CDE3F7AFF89765B498919FA5446120C632E8A0EB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 07854CA8, Relevance: .0, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c6ae5489673abc0cdd3f33cdabc7de95636a93773ea1afee9ca9b049c91c9d67
                                                                                  • Instruction ID: 31fa0a69317e9599183a9927ee4be41319dc91e26ec32007587495848ba58670
                                                                                  • Opcode Fuzzy Hash: c6ae5489673abc0cdd3f33cdabc7de95636a93773ea1afee9ca9b049c91c9d67
                                                                                  • Instruction Fuzzy Hash: 5AE02236B002588BCB28A66CD8044EE73FAEBCC222F04007AD906E3740CFB5DC09CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0785FA0A, Relevance: .0, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1b94b1240969b2082e2e42fb61f1457987643b14674668020379cb9c5122122c
                                                                                  • Instruction ID: 52c943892e3fd47d0d9b448d37eef93bbe8a62adad21550276a6f5e40e4aa79e
                                                                                  • Opcode Fuzzy Hash: 1b94b1240969b2082e2e42fb61f1457987643b14674668020379cb9c5122122c
                                                                                  • Instruction Fuzzy Hash: 03E026E320E3E42FC703626828304E93F1288B31B938909D3DAC1CD863D2008989D3B3
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 078567B0, Relevance: .0, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c7fd140e3d25bfeef36b94ddc1b1254b51a722646eefba50bd960bd7c0343938
                                                                                  • Instruction ID: 8f02d61b7614a6559a294125c362d62c7f3ce2c50b83a4fd36001391e46f6d08
                                                                                  • Opcode Fuzzy Hash: c7fd140e3d25bfeef36b94ddc1b1254b51a722646eefba50bd960bd7c0343938
                                                                                  • Instruction Fuzzy Hash: 33D0C2373000241B4214999DF44086AF39DDBC5A32308807BE90CC3300DE62DC0382D0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0785F558, Relevance: .0, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 00187ed3fe7f00e078d410fe32bdc0cfdaf9bae97066186154658a770d3e944b
                                                                                  • Instruction ID: 5211355860f50c12fbbc8adea0950b1c68239836c7a9e9ee0155fa7eca7cd0ea
                                                                                  • Opcode Fuzzy Hash: 00187ed3fe7f00e078d410fe32bdc0cfdaf9bae97066186154658a770d3e944b
                                                                                  • Instruction Fuzzy Hash: 43E02631201150DFC302DB2CE458C827FA4EF0A3213014095F808C7362CB258D118B91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 078567AF, Relevance: .0, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 50113c7d4307ac5a3e2aa1b65f4e26d3d74c3f5e16ac0b5067c97639f9f24f59
                                                                                  • Instruction ID: 3d4a8b2934dec7f2a6ddb93997e7cb6983d356d2f1bc4ef3d4d3df0c767f82b1
                                                                                  • Opcode Fuzzy Hash: 50113c7d4307ac5a3e2aa1b65f4e26d3d74c3f5e16ac0b5067c97639f9f24f59
                                                                                  • Instruction Fuzzy Hash: 57D05E367010205B42189A49E580869F7AAEBC9A21319816AE81DD7300DE62DC0387C1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0785F568, Relevance: .0, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 22e77ab8193d2299042f043f8033e8b82f4e90bd88a71b044f63fde7ea89815d
                                                                                  • Instruction ID: 6d0f2080eabb86ebcc4ddc33b4f67e8c3407572bc85f7cdcbbbeeb99d63a1d37
                                                                                  • Opcode Fuzzy Hash: 22e77ab8193d2299042f043f8033e8b82f4e90bd88a71b044f63fde7ea89815d
                                                                                  • Instruction Fuzzy Hash: A2D05E352105149FC741AB68E509D457BA9EB4D3217018095F90987362CB35ED009B91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0785FA5B, Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.351319840.0000000007850000.00000040.00000001.sdmp, Offset: 07850000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 187ceb72f0024f4394fdccfd1b68c2683e6cd92a5eb0fb9276bef5885db371d7
                                                                                  • Instruction ID: c7d00591ea3452d605ad38b57c6d38a72b0e1689b8b3b9847aafbafae7624c2c
                                                                                  • Opcode Fuzzy Hash: 187ceb72f0024f4394fdccfd1b68c2683e6cd92a5eb0fb9276bef5885db371d7
                                                                                  • Instruction Fuzzy Hash: 11D012B7304158E78B015A8DBC04CDFFB67FB981727188017F205D5551C63645259750
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Analysis Process: aspnet_compiler.exe PID: 5364 Parent PID: 6352 aspnet_compiler.exeCOMMON

                                                                                  Executed Functions

                                                                                  Function 061A63F4, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 061AB63B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.489454480.00000000061A0000.00000040.00000001.sdmp, Offset: 061A0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: NameUser
                                                                                  • String ID:
                                                                                  • API String ID: 2645101109-0
                                                                                  • Opcode ID: db761dd9d4f4ff658986f835172dc3a47e60a2f9d0959d624cd6f809548ebfea
                                                                                  • Instruction ID: e1e091344bf4ad2f35182d394eb45c44d66fae454ed1e6675990fd8bbce126ba
                                                                                  • Opcode Fuzzy Hash: db761dd9d4f4ff658986f835172dc3a47e60a2f9d0959d624cd6f809548ebfea
                                                                                  • Instruction Fuzzy Hash: 925113B4D143988FDB58CFA9C8957AEBBB1BF48314F148129E819BB390D7749844CF94
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 053B504F, Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053B51E2
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.488017787.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: 6de6be6dce08f10c89688f9312f30e68869e707843bd05629dff0923f1a4b2e1
                                                                                  • Instruction ID: c298504bec204c2e06b59889c65ae7bf68a009cf36c267aae9f23d5995479dde
                                                                                  • Opcode Fuzzy Hash: 6de6be6dce08f10c89688f9312f30e68869e707843bd05629dff0923f1a4b2e1
                                                                                  • Instruction Fuzzy Hash: BA6132B6D042499FDF02CFA9C984ACDBFB1BF49314F28816AE908AB221D7759845CF50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 061AB4F4, Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 061AB63B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.489454480.00000000061A0000.00000040.00000001.sdmp, Offset: 061A0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: NameUser
                                                                                  • String ID:
                                                                                  • API String ID: 2645101109-0
                                                                                  • Opcode ID: 3087a27fcde210b320f14a841ae39caf4858d1639754eb94b71cf866c9b0d92b
                                                                                  • Instruction ID: 7387474c5348edcf49f93781bdafbca1c27f09f665272633874651f5b0436098
                                                                                  • Opcode Fuzzy Hash: 3087a27fcde210b320f14a841ae39caf4858d1639754eb94b71cf866c9b0d92b
                                                                                  • Instruction Fuzzy Hash: 615111B4E143988FDB58CFA9C895BEDBBB1BF48314F148129E819BB390D7749840CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 053B3594, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053B51E2
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.488017787.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: a1e8569b44b33abf3633c09cf7bddcb80dda3903a2c91608d55baffba612490b
                                                                                  • Instruction ID: cc94f810786b270fb8385f70242e75c409ee1a11457181bb4d254391480c9ddd
                                                                                  • Opcode Fuzzy Hash: a1e8569b44b33abf3633c09cf7bddcb80dda3903a2c91608d55baffba612490b
                                                                                  • Instruction Fuzzy Hash: 1351D2B1D10308DFDF14CF99D884ADEBBB5BF88310F24812AE919AB610E7B59845CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 053B77C0, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 053B7F49
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.488017787.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CallProcWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2714655100-0
                                                                                  • Opcode ID: f1be1258076e2f56866e530bcf6cacfa1f569d631626b69951e2a506f5698c00
                                                                                  • Instruction ID: e1d778aab55f51d1110ada8fd87a4399e4e81605a1addf0cbf3d5b9213c8c7a6
                                                                                  • Opcode Fuzzy Hash: f1be1258076e2f56866e530bcf6cacfa1f569d631626b69951e2a506f5698c00
                                                                                  • Instruction Fuzzy Hash: 96413CB5A00345CFDB14CF99C488AEABBF9FF88314F248459E519A7721D7B4A941CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 053B6538, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,053B6B6E,?,?,?,?,?), ref: 053B6C2F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.488017787.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: abbdc6e57d228e1b55d55eea1745ac275979d3368d4fb5939e3edb767c7ed52c
                                                                                  • Instruction ID: a6053764c6e507b3778c8f0690969bd2b4bfbf9a14165a1d227494828f882e9b
                                                                                  • Opcode Fuzzy Hash: abbdc6e57d228e1b55d55eea1745ac275979d3368d4fb5939e3edb767c7ed52c
                                                                                  • Instruction Fuzzy Hash: 2521E4B5900208DFDB10CFAAD985ADEBBF8FB48324F14841AE955B3710D774A954CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 053B6BA1, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,053B6B6E,?,?,?,?,?), ref: 053B6C2F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.488017787.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 0e04c48825009d48915b1aee7d7d68ec6f2ef445f5304cfaec026fa3dab2dd9e
                                                                                  • Instruction ID: 4f144fd2af099f2ac6298a24d333539f50ec312614f96c2ba31b18163f45e75e
                                                                                  • Opcode Fuzzy Hash: 0e04c48825009d48915b1aee7d7d68ec6f2ef445f5304cfaec026fa3dab2dd9e
                                                                                  • Instruction Fuzzy Hash: 1D21E3B5D00208DFDB00CFA9D585AEEBBF8FB48324F14851AE955B3650D774AA44CF60
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 053BBEC9, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 053BBF52
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.488017787.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: EncodePointer
                                                                                  • String ID:
                                                                                  • API String ID: 2118026453-0
                                                                                  • Opcode ID: 8a41a2ede23e4bc34c58b17d7dc7bc15b92fb143ff49d161ffbdbc7f97358324
                                                                                  • Instruction ID: aacb0eeca8e3456c6874fe453d240458081691bd4fb0f90dab285ea4127de84f
                                                                                  • Opcode Fuzzy Hash: 8a41a2ede23e4bc34c58b17d7dc7bc15b92fb143ff49d161ffbdbc7f97358324
                                                                                  • Instruction Fuzzy Hash: 262158B2900309CFEB50DFA9C9597EABBF4EB04714F14852AE54AA6A01CB78A544CF60
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 053BBED8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 053BBF52
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.488017787.00000000053B0000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: EncodePointer
                                                                                  • String ID:
                                                                                  • API String ID: 2118026453-0
                                                                                  • Opcode ID: 5258cd1f41153dbf841e338362bda137c0c768b815abbadcd170a1b49240fa01
                                                                                  • Instruction ID: b9d17b12443ed1ac7d30502e068676f0a47d60be99fd07ac1f7c03678d3b690f
                                                                                  • Opcode Fuzzy Hash: 5258cd1f41153dbf841e338362bda137c0c768b815abbadcd170a1b49240fa01
                                                                                  • Instruction Fuzzy Hash: 13119DB1900308CFDB10DFA9D5487DEBBF4FB44724F248429E54AA7601CBB99544CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0130D450, Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.484589813.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 20ac88ff437352bf84f2733de10857a5c4ad757657399e9ed2f4b2cd5a3c5e7a
                                                                                  • Instruction ID: d0099480b544ab0d4ed411244e6385c568811a8708474f14eb2b5a4325088352
                                                                                  • Opcode Fuzzy Hash: 20ac88ff437352bf84f2733de10857a5c4ad757657399e9ed2f4b2cd5a3c5e7a
                                                                                  • Instruction Fuzzy Hash: 51214571504244EFDB02DF94D8D0B67BFE9FB88328F20856DE8051B286C736E815CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0130D53C, Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.484589813.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7fb479ceb2b6797be330ec313bab66653309f56d9090b16ed496a808fb2af716
                                                                                  • Instruction ID: 8d004ee0907b9389ca340adca1ebbe0720c701505d31b124d2f22da3fd7d5aa2
                                                                                  • Opcode Fuzzy Hash: 7fb479ceb2b6797be330ec313bab66653309f56d9090b16ed496a808fb2af716
                                                                                  • Instruction Fuzzy Hash: 2D21D3B1504248EFDB06DF94D9D0B26BFE9FB8832CF248569EC054B686C337D456CAA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0131D01C, Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.484747950.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 93101fe0976a38db46f7ba7ea18b86390e06724c9b7f7db0c72de25812f7ba17
                                                                                  • Instruction ID: 8ac7174ac06888f1d02c4d3eedb9ddf7b8acb9005b384cf400fbe3c65c87054e
                                                                                  • Opcode Fuzzy Hash: 93101fe0976a38db46f7ba7ea18b86390e06724c9b7f7db0c72de25812f7ba17
                                                                                  • Instruction Fuzzy Hash: FB213775504344DFCB19CF54D8C8B16BB65FB85358F20C96DE80A0B64AC337D847CA61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0130D537, Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.484589813.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e8327e2e64201f7ff5ec3366efc7fa298251661c1b1bcdfba362d642d30d07f4
                                                                                  • Instruction ID: 7aa1b3a64907d93d7319c446f38fab8ae445e820bbd5afa265c0191febec046f
                                                                                  • Opcode Fuzzy Hash: e8327e2e64201f7ff5ec3366efc7fa298251661c1b1bcdfba362d642d30d07f4
                                                                                  • Instruction Fuzzy Hash: BF110376404284CFCB06CF44D9C4B16BFB2FB84328F28C6A9DC494B256C336D456CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0130D44B, Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.484589813.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e8327e2e64201f7ff5ec3366efc7fa298251661c1b1bcdfba362d642d30d07f4
                                                                                  • Instruction ID: 8720f5de64a52fe78cdc7e367cc063ea76ac2c1bf2ee8d13a4a243c57666d4a0
                                                                                  • Opcode Fuzzy Hash: e8327e2e64201f7ff5ec3366efc7fa298251661c1b1bcdfba362d642d30d07f4
                                                                                  • Instruction Fuzzy Hash: B211BE76404280DFDB12CF54D9C4B26BFB1FB84328F2886A9DC050B657C33AD45ACBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0131D017, Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000001B.00000002.484747950.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 99ebe7b2157fb8d966aa4ce163667c6cb7f8501b33127e7b45bbdde00a440ac8
                                                                                  • Instruction ID: fb2231318de1dfcab480958bef76d2ee752454c7f3c2ca55704b31ffb84eaa2f
                                                                                  • Opcode Fuzzy Hash: 99ebe7b2157fb8d966aa4ce163667c6cb7f8501b33127e7b45bbdde00a440ac8
                                                                                  • Instruction Fuzzy Hash: 6A11BE75504280DFCB16CF14D5C8B15BF61FB45328F24C6AAD8494B65AC33AD45ACB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions