Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report sale order.exe

Overview

General Information

Sample Name:sale order.exe
Analysis ID:502597
MD5:9d3fe8ed9fd927c91dd268f70a4c20b9
SHA1:0f0fe91255fd8af65bc2c03eb4ac63c888e600c9
SHA256:81c6ab8a5c8ea969d37b9b55d052cf8b352109f1d7e85e1115570f54e542b7c2
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • sale order.exe (PID: 6128 cmdline: 'C:\Users\user\Desktop\sale order.exe' MD5: 9D3FE8ED9FD927C91DD268F70A4C20B9)
    • RegSvcs.exe (PID: 4524 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • NXLun.exe (PID: 6440 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NXLun.exe (PID: 1240 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "nbsupports@seshsupports.com", "Password": "User@40378", "Host": "sg2plcpnl0023.prod.sin2.secureserver.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.536714817.0000000003215000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.534073873.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.534073873.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000000.00000002.281050930.00000000040E9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.281050930.00000000040E9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.sale order.exe.438e570.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.sale order.exe.438e570.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.sale order.exe.438e570.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\sale order.exe' , ParentImage: C:\Users\user\Desktop\sale order.exe, ParentProcessId: 6128, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4524
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\sale order.exe' , ParentImage: C:\Users\user\Desktop\sale order.exe, ParentProcessId: 6128, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4524

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "nbsupports@seshsupports.com", "Password": "User@40378", "Host": "sg2plcpnl0023.prod.sin2.secureserver.net"}
                      Source: 3.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: sale order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: sale order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 0000000D.00000002.344676668.0000000000F92000.00000002.00020000.sdmp, NXLun.exe, 0000000F.00000002.358260371.0000000000982000.00000002.00020000.sdmp, NXLun.exe.3.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.3.dr
                      Source: Joe Sandbox ViewIP Address: 182.50.132.92 182.50.132.92
                      Source: global trafficTCP traffic: 192.168.2.3:49818 -> 182.50.132.92:587
                      Source: global trafficTCP traffic: 192.168.2.3:49818 -> 182.50.132.92:587
                      Source: RegSvcs.exe, 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/0
                      Source: RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/sfig2.crt0
                      Source: RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpString found in binary or memory: http://certs.starfieldtech.com/reposi
                      Source: RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpString found in binary or memory: http://certs.starfieldtech.com/repository/1402
                      Source: RegSvcs.exe, 00000003.00000003.474129335.00000000061AE000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.co
                      Source: RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.co
                      Source: RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfig2s1-169.crl0c
                      Source: RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpString found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
                      Source: RegSvcs.exe, 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://eOPeED.com
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0;
                      Source: RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.starfieldtech.com/0F
                      Source: RegSvcs.exe, 00000003.00000002.536831998.000000000327A000.00000004.00000001.sdmpString found in binary or memory: http://sg2plcpnl0023.prod.sin2.secureserver.net
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: sale order.exe, 00000000.00000002.284684046.0000000007C20000.00000004.00020000.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: sale order.exe, 00000000.00000003.279577057.0000000005E30000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                      Source: sale order.exe, 00000000.00000003.279577057.0000000005E30000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: sale order.exe, 00000000.00000003.271353212.0000000005E54000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: sale order.exe, 00000000.00000003.271653953.0000000005E44000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/c
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: sale order.exe, 00000000.00000003.271714351.0000000005E38000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RegSvcs.exe, 00000003.00000002.536714817.0000000003215000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.536883763.00000000032A6000.00000004.00000001.sdmpString found in binary or memory: https://92rgATMXZYKxK.net
                      Source: RegSvcs.exe, 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpString found in binary or memory: https://certs.starfieldtech.com/repository/0
                      Source: sale order.exe, 00000000.00000002.281050930.00000000040E9000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.534073873.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: sg2plcpnl0023.prod.sin2.secureserver.net

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: sale order.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b11491063u002dF973u002d4D9Fu002d8EF9u002dE310068DA354u007d/u00315C1B4CCu002d2D3Du002d464Au002d978Au002dD3B3D66E249A.csLarge array initialization: .cctor: array initializer size 11976
                      Source: sale order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\sale order.exeCode function: 0_2_0149C9340_2_0149C934
                      Source: C:\Users\user\Desktop\sale order.exeCode function: 0_2_0149E8E30_2_0149E8E3
                      Source: C:\Users\user\Desktop\sale order.exeCode function: 0_2_0149E8F00_2_0149E8F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_015647A03_2_015647A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_015646B03_2_015646B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0156D6603_2_0156D660
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064068503_2_06406850
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064090D83_2_064090D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064071203_2_06407120
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068DA2283_2_068DA228
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_068D37643_2_068D3764
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0640BEB8 appears 48 times
                      Source: sale order.exe, 00000000.00000000.268260989.0000000000BF2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGetEnumeratord.exe8 vs sale order.exe
                      Source: sale order.exe, 00000000.00000002.284725976.0000000007E30000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs sale order.exe
                      Source: sale order.exe, 00000000.00000002.281236179.000000000426E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTflIVczzDXbBygSDTYesuzKjHX.exe4 vs sale order.exe
                      Source: sale order.exe, 00000000.00000002.280713991.00000000030E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs sale order.exe
                      Source: sale order.exeBinary or memory string: OriginalFilenameGetEnumeratord.exe8 vs sale order.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                      Source: sale order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: sale order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\sale order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\sale order.exe 'C:\Users\user\Desktop\sale order.exe'
                      Source: C:\Users\user\Desktop\sale order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\sale order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\sale order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sale order.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                      Source: C:\Users\user\Desktop\sale order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3732:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_01
                      Source: C:\Users\user\Desktop\sale order.exeMutant created: \Sessions\1\BaseNamedObjects\WPBvFnYGuWTCXnk
                      Source: 3.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\sale order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: sale order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: sale order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 0000000D.00000002.344676668.0000000000F92000.00000002.00020000.sdmp, NXLun.exe, 0000000F.00000002.358260371.0000000000982000.00000002.00020000.sdmp, NXLun.exe.3.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.3.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: sale order.exe, u000eu2004.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.sale order.exe.b90000.0.unpack, u000eu2004.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.sale order.exe.b90000.0.unpack, u000eu2004.cs.Net Code: \x02 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\sale order.exeCode function: 0_2_00BE7672 push cs; ret 0_2_00BE7673
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0640EC22 pushad ; ret 3_2_0640EC69
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06407AE8 push 8BF04589h; iretd 3_2_06407B74
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.95448037982
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.280846228.0000000003187000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.280713991.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: sale order.exe PID: 6128, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: sale order.exe, 00000000.00000002.280846228.0000000003187000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: sale order.exe, 00000000.00000002.280846228.0000000003187000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\sale order.exe TID: 3180Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 6000Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 5072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 909Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8911Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\sale order.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: sale order.exe, 00000000.00000002.280846228.0000000003187000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: sale order.exe, 00000000.00000002.280846228.0000000003187000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: sale order.exe, 00000000.00000002.280846228.0000000003187000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: RegSvcs.exe, 00000003.00000002.537939565.0000000006190000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\
                      Source: sale order.exe, 00000000.00000002.280846228.0000000003187000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\sale order.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0640CC44 KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,3_2_0640CC44
                      Source: C:\Users\user\Desktop\sale order.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: RegSvcs.exe, 00000003.00000002.535907003.00000000019A0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000003.00000002.535907003.00000000019A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000003.00000002.535907003.00000000019A0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000003.00000002.535907003.00000000019A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Users\user\Desktop\sale order.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\sale order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06405594 GetUserNameW,3_2_06405594

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.sale order.exe.438e570.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sale order.exe.438e570.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sale order.exe.42946c0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.534073873.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.281050930.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.281236179.000000000426E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.536714817.0000000003215000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: sale order.exe PID: 6128, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4524, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: Yara matchFile source: 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4524, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.sale order.exe.438e570.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sale order.exe.438e570.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.sale order.exe.42946c0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.534073873.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.281050930.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.281236179.000000000426E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.536714817.0000000003215000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: sale order.exe PID: 6128, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4524, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection12File and Directory Permissions Modification1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information11Security Account ManagerSecurity Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection12Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://eOPeED.com2%VirustotalBrowse
                      http://eOPeED.com0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn/c0%Avira URL Cloudsafe
                      http://crl.microsoft.co0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://92rgATMXZYKxK.net0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://crl.starfieldtech.co0%Avira URL Cloudsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.tiro.comn0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.fontbureau.comm0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.fontbureau.como0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      sg2plcpnl0023.prod.sin2.secureserver.net
                      		182.50.132.92
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bThesale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://certs.starfieldtech.com/repository/0RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpfalse
                              		high
                              http://certificates.starfieldtech.com/repository/0RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers?sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                  		high
                                  http://crl.starfieldtech.com/sfig2s1-169.crl0cRegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.tiro.comsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://eOPeED.comRegSvcs.exe, 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmpfalse
                                    • 2%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://ocsp.starfieldtech.com/0;RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designerssale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.collada.org/2005/11/COLLADASchema9Donesale order.exe, 00000000.00000002.284684046.0000000007C20000.00000004.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://ocsp.starfieldtech.com/0FRegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sajatypeworks.comsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/cThesale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/csale order.exe, 00000000.00000003.271653953.0000000005E44000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://crl.microsoft.coRegSvcs.exe, 00000003.00000003.474129335.00000000061AE000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleasesale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://92rgATMXZYKxK.netRegSvcs.exe, 00000003.00000002.536714817.0000000003215000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.536883763.00000000032A6000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          http://www.fonts.comsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleasesale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.starfieldtech.coRegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sakkal.comsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipsale order.exe, 00000000.00000002.281050930.00000000040E9000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.534073873.0000000000402000.00000040.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.apache.org/licenses/LICENSE-2.0sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                                		high
                                                http://DynDns.comDynDNSRegSvcs.exe, 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://certs.starfieldtech.com/repository/1402RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://crl.starfieldtech.com/sfroot-g2.crl0LRegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.tiro.comnsale order.exe, 00000000.00000003.271714351.0000000005E38000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://sg2plcpnl0023.prod.sin2.secureserver.netRegSvcs.exe, 00000003.00000002.536831998.000000000327A000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://api.ipify.org%$RegSvcs.exe, 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.carterandcone.comlsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlNsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cnsale order.exe, 00000000.00000003.271353212.0000000005E54000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/frere-jones.htmlsale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.commsale order.exe, 00000000.00000003.279577057.0000000005E30000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://certs.starfieldtech.com/reposiRegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.comosale order.exe, 00000000.00000003.279577057.0000000005E30000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers8sale order.exe, 00000000.00000002.282802350.0000000007042000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://certificates.starfieldtech.com/repository/sfig2.crt0RegSvcs.exe, 00000003.00000003.483489630.00000000061DF000.00000004.00000001.sdmpfalse
                                                                		high

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                182.50.132.92
                                                                		sg2plcpnl0023.prod.sin2.secureserver.netSingapore
                                                                		26496AS-26496-GO-DADDY-COM-LLCUSfalse

                                                                General Information

                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                Analysis ID:502597
                                                                Start date:14.10.2021
                                                                Start time:05:29:24
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 8m 29s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Sample file name:sale order.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:27
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                                                                EGA Information:Failed
                                                                HDC Information:Failed
                                                                HCA Information:
                                                                • Successful, ratio: 99%
                                                                • Number of executed functions: 100
                                                                • Number of non-executed functions: 3
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                • Excluded IPs from analysis (whitelisted): 95.100.216.89, 20.82.209.183, 40.112.88.60, 67.27.157.126, 8.253.95.120, 8.253.207.120, 8.248.149.254, 8.248.131.254, 67.26.139.254, 8.253.204.249, 8.248.135.254, 20.199.120.151, 2.20.178.24, 2.20.178.33, 20.199.120.182, 20.199.120.85, 20.50.102.62
                                                                • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fg.download.windowsupdate.com.c.footprint.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                05:30:16API Interceptor1x Sleep call for process: sale order.exe modified
                                                                05:30:25API Interceptor825x Sleep call for process: RegSvcs.exe modified
                                                                05:30:36AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                05:30:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                182.50.132.92Swift copy.exeGet hashmaliciousBrowse
                                                                  Purchase order.exeGet hashmaliciousBrowse
                                                                    BANK INFORMATION.exeGet hashmaliciousBrowse
                                                                      payment.exeGet hashmaliciousBrowse
                                                                        SWIFT CODE.exeGet hashmaliciousBrowse
                                                                          SWIFT CODE.exeGet hashmaliciousBrowse
                                                                            PO CPWPKL-1901088.exeGet hashmaliciousBrowse
                                                                              Purchase order.exeGet hashmaliciousBrowse
                                                                                Purchase order.exeGet hashmaliciousBrowse
                                                                                  Purchase order.exeGet hashmaliciousBrowse
                                                                                    Swift copy.exeGet hashmaliciousBrowse

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      sg2plcpnl0023.prod.sin2.secureserver.netSwift copy.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92
                                                                                      Purchase order.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92
                                                                                      BANK INFORMATION.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92
                                                                                      payment.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92
                                                                                      SWIFT CODE.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92
                                                                                      SWIFT CODE.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92
                                                                                      PO CPWPKL-1901088.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92
                                                                                      Purchase order.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92
                                                                                      Purchase order.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92
                                                                                      Purchase order.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92
                                                                                      Swift copy.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92
                                                                                      sale order.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92

                                                                                      ASN

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      AS-26496-GO-DADDY-COM-LLCUSMaj PO.exeGet hashmaliciousBrowse
                                                                                      • 132.148.164.170
                                                                                      Payment_Receipt 7183.xlsGet hashmaliciousBrowse
                                                                                      • 148.72.0.122
                                                                                      Sales_Receipt 6310.xlsGet hashmaliciousBrowse
                                                                                      • 192.169.250.173
                                                                                      DOC 13102021.exeGet hashmaliciousBrowse
                                                                                      • 132.148.164.170
                                                                                      Purchase_Order 2586.xlsGet hashmaliciousBrowse
                                                                                      • 148.72.0.122
                                                                                      REMITTANCE-54324.exeGet hashmaliciousBrowse
                                                                                      • 107.180.56.180
                                                                                      D0sF4Fm8ZaGet hashmaliciousBrowse
                                                                                      • 160.153.44.209
                                                                                      rLGunciziYGet hashmaliciousBrowse
                                                                                      • 160.153.44.229
                                                                                      Swift copy.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92
                                                                                      DOC 10132021.exeGet hashmaliciousBrowse
                                                                                      • 132.148.164.170
                                                                                      Purchase order.exeGet hashmaliciousBrowse
                                                                                      • 182.50.132.92
                                                                                      microsoft_services_agreement_section_6b.jsGet hashmaliciousBrowse
                                                                                      • 198.71.233.36
                                                                                      REQ2021102862448032073.exeGet hashmaliciousBrowse
                                                                                      • 184.168.131.241
                                                                                      ABONOF2201.exeGet hashmaliciousBrowse
                                                                                      • 107.180.56.180
                                                                                      NEW P.O3421280.exeGet hashmaliciousBrowse
                                                                                      • 107.180.56.180
                                                                                      signed copy.exeGet hashmaliciousBrowse
                                                                                      • 107.180.56.180
                                                                                      PO09858.exeGet hashmaliciousBrowse
                                                                                      • 107.180.56.180
                                                                                      NS. ORDINE N. 141.exeGet hashmaliciousBrowse
                                                                                      • 107.180.56.180
                                                                                      IMPORTS INVOICE.exeGet hashmaliciousBrowse
                                                                                      • 107.180.56.180
                                                                                      sora.x86Get hashmaliciousBrowse
                                                                                      • 198.12.169.177

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exeXnQ8NBKkhW.exeGet hashmaliciousBrowse
                                                                                        DEBIT NOTE.exeGet hashmaliciousBrowse
                                                                                          FAj7shxXukkNrTk.exeGet hashmaliciousBrowse
                                                                                            ameHrrFwNp.exeGet hashmaliciousBrowse
                                                                                              gNFfZ1w8E6.exeGet hashmaliciousBrowse
                                                                                                YdACOWCggQ.exeGet hashmaliciousBrowse
                                                                                                  Swift copy.exeGet hashmaliciousBrowse
                                                                                                    KRSEL0000056286.JPG.exeGet hashmaliciousBrowse
                                                                                                      tT5M57z8XiwLwf5.exeGet hashmaliciousBrowse
                                                                                                        SecuriteInfo.com.Suspicious.Win32.Save.a.7200.exeGet hashmaliciousBrowse
                                                                                                          Purchase order.exeGet hashmaliciousBrowse
                                                                                                            21ITQXL080104122T7.exeGet hashmaliciousBrowse
                                                                                                              COSCOSH SHANGHAI SHIP MANAGEMENT CO LTD.exeGet hashmaliciousBrowse
                                                                                                                319-7359-01#U00a0BL#U00a0DRAFT.exeGet hashmaliciousBrowse
                                                                                                                  HSBc20210216B1.exeGet hashmaliciousBrowse
                                                                                                                    BANK INFORMATION.exeGet hashmaliciousBrowse
                                                                                                                      PO.2100002.exeGet hashmaliciousBrowse
                                                                                                                        dorlla.exeGet hashmaliciousBrowse
                                                                                                                          dAkJsQr7A9.exeGet hashmaliciousBrowse
                                                                                                                            QT2021154 NCX Glasurit Rev.1.exeGet hashmaliciousBrowse

                                                                                                                              Created / dropped Files

                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NXLun.exe.log
                                                                                                                              Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Category:modified
                                                                                                                              Size (bytes):142
                                                                                                                              Entropy (8bit):5.090621108356562
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                                                              MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                                                              SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                                                              SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                                                              SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                                                              Malicious:false
                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sale order.exe.log
                                                                                                                              Process:C:\Users\user\Desktop\sale order.exe
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1216
                                                                                                                              Entropy (8bit):5.355304211458859
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                              Malicious:false
                                                                                                                              Reputation:high, very likely benign file
                                                                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                                              C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):45152
                                                                                                                              Entropy (8bit):6.149629800481177
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                                                              MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                                                              SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                                                              SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                                                              SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                                                              Malicious:true
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                              Joe Sandbox View:
                                                                                                                              • Filename: XnQ8NBKkhW.exe, Detection: malicious, Browse
                                                                                                                              • Filename: DEBIT NOTE.exe, Detection: malicious, Browse
                                                                                                                              • Filename: FAj7shxXukkNrTk.exe, Detection: malicious, Browse
                                                                                                                              • Filename: ameHrrFwNp.exe, Detection: malicious, Browse
                                                                                                                              • Filename: gNFfZ1w8E6.exe, Detection: malicious, Browse
                                                                                                                              • Filename: YdACOWCggQ.exe, Detection: malicious, Browse
                                                                                                                              • Filename: Swift copy.exe, Detection: malicious, Browse
                                                                                                                              • Filename: KRSEL0000056286.JPG.exe, Detection: malicious, Browse
                                                                                                                              • Filename: tT5M57z8XiwLwf5.exe, Detection: malicious, Browse
                                                                                                                              • Filename: SecuriteInfo.com.Suspicious.Win32.Save.a.7200.exe, Detection: malicious, Browse
                                                                                                                              • Filename: Purchase order.exe, Detection: malicious, Browse
                                                                                                                              • Filename: 21ITQXL080104122T7.exe, Detection: malicious, Browse
                                                                                                                              • Filename: COSCOSH SHANGHAI SHIP MANAGEMENT CO LTD.exe, Detection: malicious, Browse
                                                                                                                              • Filename: 319-7359-01#U00a0BL#U00a0DRAFT.exe, Detection: malicious, Browse
                                                                                                                              • Filename: HSBc20210216B1.exe, Detection: malicious, Browse
                                                                                                                              • Filename: BANK INFORMATION.exe, Detection: malicious, Browse
                                                                                                                              • Filename: PO.2100002.exe, Detection: malicious, Browse
                                                                                                                              • Filename: dorlla.exe, Detection: malicious, Browse
                                                                                                                              • Filename: dAkJsQr7A9.exe, Detection: malicious, Browse
                                                                                                                              • Filename: QT2021154 NCX Glasurit Rev.1.exe, Detection: malicious, Browse
                                                                                                                              Reputation:high, very likely benign file
                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                                                                              C:\Windows\System32\drivers\etc\hosts
                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Category:modified
                                                                                                                              Size (bytes):835
                                                                                                                              Entropy (8bit):4.694294591169137
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                                                                                              MD5:6EB47C1CF858E25486E42440074917F2
                                                                                                                              SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                                                                                              SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                                                                                              SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                                                                                              Malicious:true
                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                              Preview: # Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1
                                                                                                                              \Device\ConDrv
                                                                                                                              Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1141
                                                                                                                              Entropy (8bit):4.44831826838854
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                                                              MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                                                              SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                                                              SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                                                              SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                                                              Malicious:false
                                                                                                                              Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                                                              Static File Info

                                                                                                                              General

                                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                              Entropy (8bit):7.943912144915366
                                                                                                                              TrID:
                                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                                                              File name:sale order.exe
                                                                                                                              File size:385536
                                                                                                                              MD5:9d3fe8ed9fd927c91dd268f70a4c20b9
                                                                                                                              SHA1:0f0fe91255fd8af65bc2c03eb4ac63c888e600c9
                                                                                                                              SHA256:81c6ab8a5c8ea969d37b9b55d052cf8b352109f1d7e85e1115570f54e542b7c2
                                                                                                                              SHA512:f10468df2a885d3f3141280721d9365d72e91bcfb5d97ac6cf7ea3399c603da1c23a62a34c6d9801ca835e3ee46b050a1047dc3ab53680603316d93dc749f63e
                                                                                                                              SSDEEP:6144:wWOdWnLnJFNN1QT65Ib/Z2yNUHJ+UU+hektHJuFqBR4iAuqaBh86RqfxtmgYFgbH:wW+WtFH1Qd/ZDVUU+YkPTBR47+Bh86M9
                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ga................................. ........@.. .......................@............@................................

                                                                                                                              File Icon

                                                                                                                              Icon Hash:00828e8e8686b000

                                                                                                                              Static PE Info

                                                                                                                              General

                                                                                                                              Entrypoint:0x45f7e6
                                                                                                                              Entrypoint Section:.text
                                                                                                                              Digitally signed:false
                                                                                                                              Imagebase:0x400000
                                                                                                                              Subsystem:windows gui
                                                                                                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                              Time Stamp:0x616788CD [Thu Oct 14 01:33:01 2021 UTC]
                                                                                                                              TLS Callbacks:
                                                                                                                              CLR (.Net) Version:v4.0.30319
                                                                                                                              OS Version Major:4
                                                                                                                              OS Version Minor:0
                                                                                                                              File Version Major:4
                                                                                                                              File Version Minor:0
                                                                                                                              Subsystem Version Major:4
                                                                                                                              Subsystem Version Minor:0
                                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                              Entrypoint Preview

                                                                                                                              Instruction
                                                                                                                              jmp dword ptr [00402000h]
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al
                                                                                                                              add byte ptr [eax], al

                                                                                                                              Data Directories

                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x5f78c0x57.text
                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x5a0.rsrc
                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x600000xc.reloc
                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                              Sections

                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                              .text0x20000x5d7ec0x5d800False0.960031438001data7.95448037982IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                              .reloc0x600000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                              .rsrc0x620000x5a00x600False0.429036458333data4.38015610359IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                              Resources

                                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                                              RT_VERSION0x620a00x34cdata
                                                                                                                              RT_MANIFEST0x623ec0x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                                                                              Imports

                                                                                                                              DLLImport
                                                                                                                              mscoree.dll_CorExeMain

                                                                                                                              Version Infos

                                                                                                                              DescriptionData
                                                                                                                              Translation0x0000 0x04b0
                                                                                                                              LegalCopyrightCopyright 2015 - 2021
                                                                                                                              Assembly Version1.0.0.0
                                                                                                                              InternalNameGetEnumeratord.exe
                                                                                                                              FileVersion1.0.0.0
                                                                                                                              CompanyName
                                                                                                                              LegalTrademarks
                                                                                                                              Comments
                                                                                                                              ProductNameWin UsbInit
                                                                                                                              ProductVersion1.0.0.0
                                                                                                                              FileDescriptionWin UsbInit
                                                                                                                              OriginalFilenameGetEnumeratord.exe

                                                                                                                              Network Behavior

                                                                                                                              Network Port Distribution

                                                                                                                              TCP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Oct 14, 2021 05:31:49.097196102 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:49.362365961 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:49.362520933 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:49.792210102 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:49.792527914 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:50.057771921 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:50.058363914 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:50.328748941 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:50.373121023 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:50.643443108 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:50.643488884 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:50.643517017 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:50.643732071 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:50.690958977 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:50.956722021 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:51.000221968 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:51.015360117 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:51.281513929 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:51.282211065 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:51.547617912 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:51.548269987 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:51.818413019 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:51.819945097 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:52.085994005 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:52.086709976 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:52.353739977 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:52.354296923 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:52.619329929 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:52.620968103 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:52.621153116 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:52.621918917 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:52.622028112 CEST49818587192.168.2.3182.50.132.92
                                                                                                                              Oct 14, 2021 05:31:52.886135101 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:52.886188030 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:52.886790991 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:52.886821985 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:52.888185024 CEST58749818182.50.132.92192.168.2.3
                                                                                                                              Oct 14, 2021 05:31:52.937899113 CEST49818587192.168.2.3182.50.132.92

                                                                                                                              UDP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Oct 14, 2021 05:31:49.058628082 CEST5623653192.168.2.38.8.8.8
                                                                                                                              Oct 14, 2021 05:31:49.076781988 CEST53562368.8.8.8192.168.2.3

                                                                                                                              DNS Queries

                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                              Oct 14, 2021 05:31:49.058628082 CEST192.168.2.38.8.8.80xdf03Standard query (0)sg2plcpnl0023.prod.sin2.secureserver.netA (IP address)IN (0x0001)

                                                                                                                              DNS Answers

                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                              Oct 14, 2021 05:31:49.076781988 CEST8.8.8.8192.168.2.30xdf03No error (0)sg2plcpnl0023.prod.sin2.secureserver.net182.50.132.92A (IP address)IN (0x0001)

                                                                                                                              SMTP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                              Oct 14, 2021 05:31:49.792210102 CEST58749818182.50.132.92192.168.2.3220-sg2plcpnl0023.prod.sin2.secureserver.net ESMTP Exim 4.93 #2 Wed, 13 Oct 2021 20:31:49 -0700
                                                                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                              220 and/or bulk e-mail.
                                                                                                                              Oct 14, 2021 05:31:49.792527914 CEST49818587192.168.2.3182.50.132.92EHLO 579569
                                                                                                                              Oct 14, 2021 05:31:50.057771921 CEST58749818182.50.132.92192.168.2.3250-sg2plcpnl0023.prod.sin2.secureserver.net Hello 579569 [102.129.143.33]
                                                                                                                              250-SIZE 52428800
                                                                                                                              250-8BITMIME
                                                                                                                              250-PIPELINING
                                                                                                                              250-AUTH PLAIN LOGIN
                                                                                                                              250-CHUNKING
                                                                                                                              250-STARTTLS
                                                                                                                              250-SMTPUTF8
                                                                                                                              250 HELP
                                                                                                                              Oct 14, 2021 05:31:50.058363914 CEST49818587192.168.2.3182.50.132.92STARTTLS
                                                                                                                              Oct 14, 2021 05:31:50.328748941 CEST58749818182.50.132.92192.168.2.3220 TLS go ahead

                                                                                                                              Code Manipulations

                                                                                                                              Statistics

                                                                                                                              CPU Usage

                                                                                                                              Click to jump to process

                                                                                                                              Memory Usage

                                                                                                                              Click to jump to process

                                                                                                                              High Level Behavior Distribution

                                                                                                                              Click to dive into process behavior distribution

                                                                                                                              Behavior

                                                                                                                              Click to jump to process

                                                                                                                              System Behavior

                                                                                                                              Analysis Process: sale order.exe PID: 6128 Parent PID: 4960

                                                                                                                              General

                                                                                                                              Start time:05:30:11
                                                                                                                              Start date:14/10/2021
                                                                                                                              Path:C:\Users\user\Desktop\sale order.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:'C:\Users\user\Desktop\sale order.exe'
                                                                                                                              Imagebase:0xb90000
                                                                                                                              File size:385536 bytes
                                                                                                                              MD5 hash:9D3FE8ED9FD927C91DD268F70A4C20B9
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.281050930.00000000040E9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.281050930.00000000040E9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.280846228.0000000003187000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.281236179.000000000426E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.281236179.000000000426E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.280713991.00000000030E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                              Reputation:low

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: RegSvcs.exe PID: 4524 Parent PID: 6128

                                                                                                                              General

                                                                                                                              Start time:05:30:16
                                                                                                                              Start date:14/10/2021
                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                              Imagebase:0xc30000
                                                                                                                              File size:45152 bytes
                                                                                                                              MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.536714817.0000000003215000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.534073873.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.534073873.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.536098752.0000000002F11000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: NXLun.exe PID: 6440 Parent PID: 3352

                                                                                                                              General

                                                                                                                              Start time:05:30:44
                                                                                                                              Start date:14/10/2021
                                                                                                                              Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                                                                              Imagebase:0xf90000
                                                                                                                              File size:45152 bytes
                                                                                                                              MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Antivirus matches:
                                                                                                                              • Detection: 0%, Metadefender, Browse
                                                                                                                              • Detection: 0%, ReversingLabs
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: conhost.exe PID: 6436 Parent PID: 6440

                                                                                                                              General

                                                                                                                              Start time:05:30:45
                                                                                                                              Start date:14/10/2021
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff7f20f0000
                                                                                                                              File size:625664 bytes
                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: NXLun.exe PID: 1240 Parent PID: 3352

                                                                                                                              General

                                                                                                                              Start time:05:30:53
                                                                                                                              Start date:14/10/2021
                                                                                                                              Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                                                                              Imagebase:0x7ff70d6e0000
                                                                                                                              File size:45152 bytes
                                                                                                                              MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Analysis Process: conhost.exe PID: 3732 Parent PID: 1240

                                                                                                                              General

                                                                                                                              Start time:05:30:53
                                                                                                                              Start date:14/10/2021
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff7f20f0000
                                                                                                                              File size:625664 bytes
                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Chronological Activities

                                                                                                                              Disassembly

                                                                                                                              Code Analysis

                                                                                                                              Reset < >

                                                                                                                                Analysis Process: sale order.exe PID: 6128 Parent PID: 4960 sale order.exeCOMMON

                                                                                                                                Executed Functions

                                                                                                                                Function 0149BDFA, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0149BE68
                                                                                                                                • GetCurrentThread.KERNEL32 ref: 0149BEA5
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0149BEE2
                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0149BF3B
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                • Opcode ID: 72eb4793fd92511e75ac80ff6a51e0ed52d165e9512d9152d6151fa29400eede
                                                                                                                                • Instruction ID: 0fbe3d168ec8ffd688a4ea50223760738bf43bf963cb931d743a0be6e3c92687
                                                                                                                                • Opcode Fuzzy Hash: 72eb4793fd92511e75ac80ff6a51e0ed52d165e9512d9152d6151fa29400eede
                                                                                                                                • Instruction Fuzzy Hash: 085164B09006488FDB14CFAAD649BDEBFF5EF88314F24856AE119A3360C7749845CF21
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0149BE02, Relevance: 6.1, APIs: 4, Instructions: 122threadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0149BE68
                                                                                                                                • GetCurrentThread.KERNEL32 ref: 0149BEA5
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0149BEE2
                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0149BF3B
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                • Opcode ID: 886b54fe33c927e41cda918d5fb77d80563c9daab0aa7f5db868f8ae46e0adf0
                                                                                                                                • Instruction ID: 474eb3b18c0dd240c6f0849482f78659c5406d743371d7925609a367f3548533
                                                                                                                                • Opcode Fuzzy Hash: 886b54fe33c927e41cda918d5fb77d80563c9daab0aa7f5db868f8ae46e0adf0
                                                                                                                                • Instruction Fuzzy Hash: 915153B09006488FDB14CFAAD649BDEBFF5EF88314F20856AE119A3360C7749845CF25
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0149BE04, Relevance: 6.1, APIs: 4, Instructions: 122threadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0149BE68
                                                                                                                                • GetCurrentThread.KERNEL32 ref: 0149BEA5
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0149BEE2
                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0149BF3B
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                • Opcode ID: 4f8bb1c57006f35e650e63f6e581aee69f0985a76a0625e05ed182deaabb692a
                                                                                                                                • Instruction ID: 83a2399b6f12c5a43501ccbc46fff41c6a2b85f98ca69e15fde96890500f6930
                                                                                                                                • Opcode Fuzzy Hash: 4f8bb1c57006f35e650e63f6e581aee69f0985a76a0625e05ed182deaabb692a
                                                                                                                                • Instruction Fuzzy Hash: 5F5143B09006488FDB14CFAAD649BDEBFF5EF88314F24856AE119A7360C7749885CF25
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0149BE08, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0149BE68
                                                                                                                                • GetCurrentThread.KERNEL32 ref: 0149BEA5
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0149BEE2
                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0149BF3B
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                • Opcode ID: c450ace2f7ecac65717c41dd1f35a90bd3c6d35b630fa72d34bee91e94466fc6
                                                                                                                                • Instruction ID: 4e52c68aa0a8645b22e610c41ac93f84f7311882e995b742d56f7d25f3e624cb
                                                                                                                                • Opcode Fuzzy Hash: c450ace2f7ecac65717c41dd1f35a90bd3c6d35b630fa72d34bee91e94466fc6
                                                                                                                                • Instruction Fuzzy Hash: AC5153B09006088FDB14CFAAD649BDEBFF4EF88314F20846AE119A7360C774A844CF65
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01499B10, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 01499D56
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: HandleModule
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                • Opcode ID: df980cf227662eece088cac14e02ab5dfe01d10808af51259d7efb6ddb862071
                                                                                                                                • Instruction ID: 570ab606a5a539452d7836ef2d678d16744b8d596af6080c7852bb683d2eddb8
                                                                                                                                • Opcode Fuzzy Hash: df980cf227662eece088cac14e02ab5dfe01d10808af51259d7efb6ddb862071
                                                                                                                                • Instruction Fuzzy Hash: 7E713570A00B058FDB24CF6AD44569BBBF5BF88218F008A2ED18AD7B50D735E846CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0149563C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 014956F9
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: Create
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                • Opcode ID: 5389db6405b0ee335d7fcca3baeb140580f7f8b2d6fa0db4eee75446d296ae85
                                                                                                                                • Instruction ID: ae78896ccf46043aae415303b7c9e0d9287712f5171f1c2ffa1b1f59416286e9
                                                                                                                                • Opcode Fuzzy Hash: 5389db6405b0ee335d7fcca3baeb140580f7f8b2d6fa0db4eee75446d296ae85
                                                                                                                                • Instruction Fuzzy Hash: 9E41D370C00618CFDF25CFA9C984BDEBBB5BF88304F24856AD409AB251DB75594ACF90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01494124, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 014956F9
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: Create
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                • Opcode ID: 0d442dfe0c0fda8793c80a7a47645a8b11301a2e0a2069aa3b93c4ffa2fdeaca
                                                                                                                                • Instruction ID: fe73f3522d7b60cc5b9f3cd85d9255682d3f4ab8a65639eac81e6aad71c18dfd
                                                                                                                                • Opcode Fuzzy Hash: 0d442dfe0c0fda8793c80a7a47645a8b11301a2e0a2069aa3b93c4ffa2fdeaca
                                                                                                                                • Instruction Fuzzy Hash: 6141B1B1C00618CBDB24DF99C984BDEBBF5BF88304F24846AD509AB251DB75594ACF90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01495641, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 014956F9
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: Create
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                • Opcode ID: 935da2bbca3d82839943b5a4b87e808c47fdb5b8c22bec3bfd0f57677cd2121a
                                                                                                                                • Instruction ID: 7d291604ecedd9d39f6d20ceab8de9a9c69174f6412e7b9f2a66dd6d40674195
                                                                                                                                • Opcode Fuzzy Hash: 935da2bbca3d82839943b5a4b87e808c47fdb5b8c22bec3bfd0f57677cd2121a
                                                                                                                                • Instruction Fuzzy Hash: 2E41C270C00618CFDF24CFA9C984BDEBBB5BF88304F24856AD409AB251DB75594ACF90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01495644, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 014956F9
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: Create
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                • Opcode ID: 3c25c84783e877cee072213845bdff19bbd862abd1cf89510416c93d018113ae
                                                                                                                                • Instruction ID: 24cfc1506452827903360d001dd1ffc80ced74395b79a71253a4d1ab2475991e
                                                                                                                                • Opcode Fuzzy Hash: 3c25c84783e877cee072213845bdff19bbd862abd1cf89510416c93d018113ae
                                                                                                                                • Instruction Fuzzy Hash: 5141D2B0C00618CFDF24CFA9C985BDEBBB5BF88304F24856AD409AB251DB75594ACF90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0149C02C, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149C0B7
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                • Opcode ID: 3385b043d3beacd4becfb9921b8cd4b6f53665e81b131f33c05345fa46ca0d81
                                                                                                                                • Instruction ID: b6d0492c5053a9d59494d6d4aa6931aff5e3373f0b027a32740cfa03f18409d7
                                                                                                                                • Opcode Fuzzy Hash: 3385b043d3beacd4becfb9921b8cd4b6f53665e81b131f33c05345fa46ca0d81
                                                                                                                                • Instruction Fuzzy Hash: 1621B3B5900209AFDB10CF9AD985ADEFBF8FB48324F14841AE954A3350D374A954CFA5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0149C02A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149C0B7
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                • Opcode ID: 744128e66627e8dad1b2e9c7b7c18de0f585093eea5bb0c3f5820cf6da58a828
                                                                                                                                • Instruction ID: c0dd723e42e89110f947aa68b92bb88703dbb1209c022efc3c41d1992eebfc1a
                                                                                                                                • Opcode Fuzzy Hash: 744128e66627e8dad1b2e9c7b7c18de0f585093eea5bb0c3f5820cf6da58a828
                                                                                                                                • Instruction Fuzzy Hash: C921B0B59002089FDB10CFAAD984AEEBBF8EB48324F14841AE955A3710D374A945CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0149C030, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149C0B7
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                • Opcode ID: d789d646259ebb9f6584fbb51c8f10e9a0b921bb40eec351fe416f88de638b9f
                                                                                                                                • Instruction ID: a4cd53a0dcca1fd742a6a341128d1f954f698258a6f236759e85e69a34bd512e
                                                                                                                                • Opcode Fuzzy Hash: d789d646259ebb9f6584fbb51c8f10e9a0b921bb40eec351fe416f88de638b9f
                                                                                                                                • Instruction Fuzzy Hash: CE21C2B59002089FDB10CFAAD984AEEBFF8EB48324F14841AE954A3310D374A944CFA5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01499548, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01499DD1,00000800,00000000,00000000), ref: 01499FE2
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoad
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                • Opcode ID: 5cb3dc1e9d86f82adbb7be44205c117b9cf50c6d001e6691c37bb065cbac7b6a
                                                                                                                                • Instruction ID: 00a28ef064c42618003ace94fbeb2de2f744957d6873d5138a692227a9ebea05
                                                                                                                                • Opcode Fuzzy Hash: 5cb3dc1e9d86f82adbb7be44205c117b9cf50c6d001e6691c37bb065cbac7b6a
                                                                                                                                • Instruction Fuzzy Hash: 371114B69042098FDF10CF9AC484ADEFBF4EB88314F14842EE519B7610C374A945CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01499F70, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01499DD1,00000800,00000000,00000000), ref: 01499FE2
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoad
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                • Opcode ID: fe0ac04fe0f32317ef1a93dd566d4e13b2f6df8efa29eff5fca20c59f55f6d26
                                                                                                                                • Instruction ID: daad25068d1bf4bd29d01c0be105ca5a9a1c44c6fff71a0f34d82bd1c37f7537
                                                                                                                                • Opcode Fuzzy Hash: fe0ac04fe0f32317ef1a93dd566d4e13b2f6df8efa29eff5fca20c59f55f6d26
                                                                                                                                • Instruction Fuzzy Hash: 561114B6C002498FDF10CFAAD484ADEFFF4AB98324F14852ED559A7610C375A946CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01499F75, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01499DD1,00000800,00000000,00000000), ref: 01499FE2
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoad
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                • Opcode ID: 29f4bf2d7ad8903e8f6f89516a66658f02181784739250f72a11ff90c4766020
                                                                                                                                • Instruction ID: 5b96e36d3f0b9256685a1f37693bd8121272edfc2b0d0b07e5a32150bff6a076
                                                                                                                                • Opcode Fuzzy Hash: 29f4bf2d7ad8903e8f6f89516a66658f02181784739250f72a11ff90c4766020
                                                                                                                                • Instruction Fuzzy Hash: 951114B6C002498FDF10CFAAD484ADEFFF4AB88324F14852ED559A7610C375A946CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01499CEC, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 01499D56
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: HandleModule
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                • Opcode ID: fc7aae3a89fe3f611d18d7100c356a11e1596656e0bd7eeceec0314c5b8f5e44
                                                                                                                                • Instruction ID: 76124c56a31e464a94da062fde709ac0f7fa166ba8733d2f7c5054edfda96eae
                                                                                                                                • Opcode Fuzzy Hash: fc7aae3a89fe3f611d18d7100c356a11e1596656e0bd7eeceec0314c5b8f5e44
                                                                                                                                • Instruction Fuzzy Hash: F21104B5C002498FDB20CF9AD484BDEFFF4AF88224F14851AD569B7610C379A546CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01499CF0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 01499D56
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: HandleModule
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                • Opcode ID: 89d21fa672b2dd2168609b5ac8b0cec97ad85ffb167f8ecd752b91fecd125304
                                                                                                                                • Instruction ID: a6acad2f0a4461da6459a5893905a058e319c0fc030ed578aa940833f1c77348
                                                                                                                                • Opcode Fuzzy Hash: 89d21fa672b2dd2168609b5ac8b0cec97ad85ffb167f8ecd752b91fecd125304
                                                                                                                                • Instruction Fuzzy Hash: 7B11E3B5C006498FDB10CF9AD444BDEFBF4AF88224F14851AD529B7610C375A546CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Non-executed Functions

                                                                                                                                Function 0149E8F0, Relevance: .3, Instructions: 315COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 32d09295359e02b0444337c7800293862efdd3cc604bc405c573faeb6badd981
                                                                                                                                • Instruction ID: 4a759ffb301fdd1c0812ad67fa184600857b82c7544e7981fbda12f0f55c3353
                                                                                                                                • Opcode Fuzzy Hash: 32d09295359e02b0444337c7800293862efdd3cc604bc405c573faeb6badd981
                                                                                                                                • Instruction Fuzzy Hash: 0A12EBF5CD17468BDB10CF56ECD81893BA1B745328BD24A48D2E92BAD0DBB405EACF44
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0149C934, Relevance: .3, Instructions: 265COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 248f40d34f56a356061322c66cf5c77a15c73bad31fcc4e976691627bce4efb6
                                                                                                                                • Instruction ID: 3012ddcbd864773a99f2f600df86c7d3b00e9b1dda2f906f128874eb5785dff0
                                                                                                                                • Opcode Fuzzy Hash: 248f40d34f56a356061322c66cf5c77a15c73bad31fcc4e976691627bce4efb6
                                                                                                                                • Instruction Fuzzy Hash: 5EA16E32E0021ACFCF15DFA5C8849DEBBF2FF95300B15856AE905BB261EB35A955CB40
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0149E8E3, Relevance: .2, Instructions: 221COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000000.00000002.280399434.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 661768e274886efd175b88aee0fa4e783701308ed5d8fd0e8e58df4ef1654ee9
                                                                                                                                • Instruction ID: 1c2cf77980334018c8bafd03474342c0f8eeedf00beb6007470d3fc9e3291d11
                                                                                                                                • Opcode Fuzzy Hash: 661768e274886efd175b88aee0fa4e783701308ed5d8fd0e8e58df4ef1654ee9
                                                                                                                                • Instruction Fuzzy Hash: D0C13DB1CD17458BDB10CF66ECD41893BA1BB85328FD24B49D2A92B6D0DBB414EACF44
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Analysis Process: RegSvcs.exe PID: 4524 Parent PID: 6128 RegSvcs.exeCOMMON

                                                                                                                                Executed Functions

                                                                                                                                Function 0640CC44, Relevance: 5.4, APIs: 3, Instructions: 936libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640CE15
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2638914809-0
                                                                                                                                • Opcode ID: d3435f9c28ac2fb818f9b9e3c31af735dc635e0706e340eadd3642a1aae2e567
                                                                                                                                • Instruction ID: 79274e7d6dc8188d28cbdbe8d203da503641b13419d9d564562d946ff877728f
                                                                                                                                • Opcode Fuzzy Hash: d3435f9c28ac2fb818f9b9e3c31af735dc635e0706e340eadd3642a1aae2e567
                                                                                                                                • Instruction Fuzzy Hash: 2AA24B74A05228CFDB65DF60D898AADB7B6BF48305F1144EAD609A7344CF30AE85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 068DA228, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538521943.00000000068D0000.00000040.00000010.sdmp, Offset: 068D0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: c1c6d3fea0c7a490e6fbf214afa1ffc4ed9b2ea610dbb15e6386728333904b7d
                                                                                                                                • Instruction ID: 9ef4a0b5eacb4cf1319ef0d179b94f3500dfe5591df7374bfb2e43f319cbe5ef
                                                                                                                                • Opcode Fuzzy Hash: c1c6d3fea0c7a490e6fbf214afa1ffc4ed9b2ea610dbb15e6386728333904b7d
                                                                                                                                • Instruction Fuzzy Hash: E4F17E30E00209DFDB58DFA9C844BADBBF1BF88304F258569E505EB2A5DB74E945CB90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06405594, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0640B213
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: NameUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2645101109-0
                                                                                                                                • Opcode ID: 7d158843816e46c95194b1069473cd072d9e0d1a1efbd18946e0108ba9a90f8a
                                                                                                                                • Instruction ID: 31a0dba86bbf4d6c91bd2eae275c82c3fba9c0327c5cfd33c4239b972bb29857
                                                                                                                                • Opcode Fuzzy Hash: 7d158843816e46c95194b1069473cd072d9e0d1a1efbd18946e0108ba9a90f8a
                                                                                                                                • Instruction Fuzzy Hash: 2A51F374D042288FEB58CFA9C888BDEBBB1FF48314F15852AD819BB390D7759844CB95
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01566B1F, Relevance: 6.1, APIs: 4, Instructions: 143threadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 01566BB0
                                                                                                                                • GetCurrentThread.KERNEL32 ref: 01566BED
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 01566C2A
                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 01566C83
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535777780.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                • Opcode ID: 5715e1e9337c25c7200f70045b8b3c1755ee27b8940c03dbe7635d12a8e9f8b6
                                                                                                                                • Instruction ID: 90faa2e90f72d4a242b23c9a591881663461ff91ae1b86becd496a688c190e04
                                                                                                                                • Opcode Fuzzy Hash: 5715e1e9337c25c7200f70045b8b3c1755ee27b8940c03dbe7635d12a8e9f8b6
                                                                                                                                • Instruction Fuzzy Hash: 4C5198B09043898FEB54CFA9CA487DEBFF4EF89314F14849AD158A72A1C7745884CF61
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01566B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 01566BB0
                                                                                                                                • GetCurrentThread.KERNEL32 ref: 01566BED
                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 01566C2A
                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 01566C83
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535777780.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                • Opcode ID: 9deb5b648bd5819e30d058c43bc5d884b7592a05f3ad8896e60bb8e17f587991
                                                                                                                                • Instruction ID: 8da2161c9f44f7151076b03102870e67928d713a42e43ce0b8c28d73e3963822
                                                                                                                                • Opcode Fuzzy Hash: 9deb5b648bd5819e30d058c43bc5d884b7592a05f3ad8896e60bb8e17f587991
                                                                                                                                • Instruction Fuzzy Hash: AC5135B09006498FDB54CFAAC6487DEBBF4FF88314F208859E119A7250D7745884CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CC65, Relevance: 5.1, APIs: 3, Instructions: 609libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640CE15
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2638914809-0
                                                                                                                                • Opcode ID: 92a53cb629acade57d9d0f3bdc31cd63b16ddc2a5b596f1b4981deda111441d8
                                                                                                                                • Instruction ID: bd972dbc9d5aa152a075f5c1e888043274b8991471a67228733594f404c0f6b3
                                                                                                                                • Opcode Fuzzy Hash: 92a53cb629acade57d9d0f3bdc31cd63b16ddc2a5b596f1b4981deda111441d8
                                                                                                                                • Instruction Fuzzy Hash: 6F522C74A05228CFDB65DF70D898A9DB7B6BF48305F1085EAD50AA3344CB34AE85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CCAA, Relevance: 5.1, APIs: 3, Instructions: 600libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640CE15
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2638914809-0
                                                                                                                                • Opcode ID: cc7d188552563d968568eab1da92ef27900fa8c4b52daa19777fc1003999fc59
                                                                                                                                • Instruction ID: f8434df6dd1902d55999c8b54d687c17114c720ad5f54bbc9bf8a67a5b737343
                                                                                                                                • Opcode Fuzzy Hash: cc7d188552563d968568eab1da92ef27900fa8c4b52daa19777fc1003999fc59
                                                                                                                                • Instruction Fuzzy Hash: 80522C74A05228CFDB65DF60D898A9DB7B6BF48305F1085EAD50AA3344CF34AE85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CCE6, Relevance: 5.1, APIs: 3, Instructions: 595libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640CE15
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2638914809-0
                                                                                                                                • Opcode ID: 32fe673a4265d5eac1fa5465591fa7d9d310b7993729d0b84e712f6ec3572704
                                                                                                                                • Instruction ID: b07ffa96a23911116c2f7a5db6ff3701f214efba3815bee732c0534d5afedbe9
                                                                                                                                • Opcode Fuzzy Hash: 32fe673a4265d5eac1fa5465591fa7d9d310b7993729d0b84e712f6ec3572704
                                                                                                                                • Instruction Fuzzy Hash: 86523C74A05228CFDB65DF70D898A9DB7B6BF48205F1085EAD50AA3344CF34AE85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CD2B, Relevance: 5.1, APIs: 3, Instructions: 588libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640CE15
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2638914809-0
                                                                                                                                • Opcode ID: 286bf73467861d9346bc6dc73b10c602ad84760e55a6039ebc26b9e535668486
                                                                                                                                • Instruction ID: 479f31569509ddcd033ee749cf708010c1bd6ae23355f7f5e575660120e4f702
                                                                                                                                • Opcode Fuzzy Hash: 286bf73467861d9346bc6dc73b10c602ad84760e55a6039ebc26b9e535668486
                                                                                                                                • Instruction Fuzzy Hash: 22523C74A05228CFDB65DF70D898A9DB7B6BF48205F1085EAD50AA3344CF34AE85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CD70, Relevance: 5.1, APIs: 3, Instructions: 581libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640CE15
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2638914809-0
                                                                                                                                • Opcode ID: daaa757e4e43058cc095083b5b374f3737a3a3a333667a9589a436b3e536d382
                                                                                                                                • Instruction ID: 0d9220b3f61d476faceb418808e9c6fe90e8ccaa0c27066bfbcd1580975c64d7
                                                                                                                                • Opcode Fuzzy Hash: daaa757e4e43058cc095083b5b374f3737a3a3a333667a9589a436b3e536d382
                                                                                                                                • Instruction Fuzzy Hash: 3D523C74A05228CFDB65DF70D898A9DB7B6BF48205F1085EAD50AA3344CF34AE85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CDB5, Relevance: 5.1, APIs: 3, Instructions: 572libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640CE15
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2638914809-0
                                                                                                                                • Opcode ID: 6da8df8704b1b8712c5207b312d74e5b70e1586fe7572e78b96a8bbe03458a90
                                                                                                                                • Instruction ID: e5a03ebdd70e34798948d164177eb670acf4fbe7d1654ff9b05e768e34944e43
                                                                                                                                • Opcode Fuzzy Hash: 6da8df8704b1b8712c5207b312d74e5b70e1586fe7572e78b96a8bbe03458a90
                                                                                                                                • Instruction Fuzzy Hash: FC423C74A05228CFDB65DF60D898A9DB7B6BF48305F1085EAD50AA3344CF34AE85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CDF1, Relevance: 5.1, APIs: 3, Instructions: 567libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640CE15
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2638914809-0
                                                                                                                                • Opcode ID: 27be93af8bf73c6185fbc828ffeefc466fdb0086394ad31b450e79ba6951bbe5
                                                                                                                                • Instruction ID: 53e3421d711de67bf8ba6db7b58d1b9fb780d73fdb710700cf3017a05cfa8281
                                                                                                                                • Opcode Fuzzy Hash: 27be93af8bf73c6185fbc828ffeefc466fdb0086394ad31b450e79ba6951bbe5
                                                                                                                                • Instruction Fuzzy Hash: 5E422C74A05228CFDB65DFA0D898A9DB7F6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CE4C, Relevance: 3.6, APIs: 2, Instructions: 556libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 243558500-0
                                                                                                                                • Opcode ID: f8d70564b99bdc00262532620d552b03e63c0ef111f9d485fe7c111b220c5ee5
                                                                                                                                • Instruction ID: 979689b7f308a5ffd481d9700eebd2849cbf42f5af3cab5ccc9ed758b3008285
                                                                                                                                • Opcode Fuzzy Hash: f8d70564b99bdc00262532620d552b03e63c0ef111f9d485fe7c111b220c5ee5
                                                                                                                                • Instruction Fuzzy Hash: 1A422C74A05228CFDB65DFA0D898A9DB7B6BF48305F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CE91, Relevance: 3.5, APIs: 2, Instructions: 549libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 243558500-0
                                                                                                                                • Opcode ID: feb6f5ef34523d6d254e00e2030b8d6868553bfc5cb347804d594dfeadff41b7
                                                                                                                                • Instruction ID: 5d6c04447b2d5575819c3affb3860c7a1f72e53ba4e172d5b14ccb71b2cb6c21
                                                                                                                                • Opcode Fuzzy Hash: feb6f5ef34523d6d254e00e2030b8d6868553bfc5cb347804d594dfeadff41b7
                                                                                                                                • Instruction Fuzzy Hash: 1E421C74A05228CFDB65DFA0D898A9DB7B6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CED6, Relevance: 3.5, APIs: 2, Instructions: 542libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 243558500-0
                                                                                                                                • Opcode ID: 14312aba66200f79c71fc52da0edd613734efbdc7aa291b1277e1bc732f0a191
                                                                                                                                • Instruction ID: 22e0a2ceeb0a313b066ec0eed0f50274a8f6cde260553f24002984eb0de4b2ee
                                                                                                                                • Opcode Fuzzy Hash: 14312aba66200f79c71fc52da0edd613734efbdc7aa291b1277e1bc732f0a191
                                                                                                                                • Instruction Fuzzy Hash: 0A421C74A05228CFDB65DFA0D898A9DB7B6BF48305F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CF1B, Relevance: 3.5, APIs: 2, Instructions: 535libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 243558500-0
                                                                                                                                • Opcode ID: bac9618b3bdfe7fcb5e6008b7e74b10d6beb38f541769cacc33a6fce58ad5d40
                                                                                                                                • Instruction ID: 438fcf437d20a396e05be94e1a97253fd3f90be9fe3a9ceea30386e627dbe909
                                                                                                                                • Opcode Fuzzy Hash: bac9618b3bdfe7fcb5e6008b7e74b10d6beb38f541769cacc33a6fce58ad5d40
                                                                                                                                • Instruction Fuzzy Hash: 10421C74A05228CFDB65DFA0D898A9DB7F6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CF60, Relevance: 3.5, APIs: 2, Instructions: 528libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 243558500-0
                                                                                                                                • Opcode ID: 1b9178b64e36f953e8019bcf9840d39790a4828cbe45edb1130bcc878c9a4f2b
                                                                                                                                • Instruction ID: e901085c72cb237f3b75594fc70f4a1ebc77f6305878b08edee8afebe70ff7be
                                                                                                                                • Opcode Fuzzy Hash: 1b9178b64e36f953e8019bcf9840d39790a4828cbe45edb1130bcc878c9a4f2b
                                                                                                                                • Instruction Fuzzy Hash: 89421C74A05228CFDB65DFA0D898A9DB7B6BF48305F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CFA5, Relevance: 3.5, APIs: 2, Instructions: 521libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 243558500-0
                                                                                                                                • Opcode ID: fe2fd941484f2679d3d9a269b5d3cd7e07da9fc1ff1bcf2dd723ca3616071126
                                                                                                                                • Instruction ID: 1d08d8ab3d5d27c8cec9bae252b7886d9ec09043d6adbc5e10d4f6c481787a6c
                                                                                                                                • Opcode Fuzzy Hash: fe2fd941484f2679d3d9a269b5d3cd7e07da9fc1ff1bcf2dd723ca3616071126
                                                                                                                                • Instruction Fuzzy Hash: C0321C74A05228CFDB65DFA0D898A9DB7F6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640CFEA, Relevance: 3.5, APIs: 2, Instructions: 514libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 243558500-0
                                                                                                                                • Opcode ID: f1b8c19c4b9dcc00f00c694109382d3a4bafee7b75e67cf297c87e33186fd0b9
                                                                                                                                • Instruction ID: fe4661e5a996d56fd58ff26d5b487c3c312ab49ef0b90a5e38dce92c754ce24f
                                                                                                                                • Opcode Fuzzy Hash: f1b8c19c4b9dcc00f00c694109382d3a4bafee7b75e67cf297c87e33186fd0b9
                                                                                                                                • Instruction Fuzzy Hash: FA321C74A05228CFDB65DFA0D898A9DB7B6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D02F, Relevance: 3.5, APIs: 2, Instructions: 507libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 243558500-0
                                                                                                                                • Opcode ID: 7b614e9acb3f3888f0b33740d2f1e126af29933d155dfd988c04b7c4d4543a4e
                                                                                                                                • Instruction ID: 72279327dc592e0d33421b6dad91eb9014613f5162a3c395fb785c17815ac5e6
                                                                                                                                • Opcode Fuzzy Hash: 7b614e9acb3f3888f0b33740d2f1e126af29933d155dfd988c04b7c4d4543a4e
                                                                                                                                • Instruction Fuzzy Hash: CA322C74A05228CFDB65DFA0D898A9DB7F6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D074, Relevance: 3.5, APIs: 2, Instructions: 498libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 243558500-0
                                                                                                                                • Opcode ID: 24e17080324f4baa95ee344547522bbb500a6539022f5bbd727bcff285bd27aa
                                                                                                                                • Instruction ID: b59614bd4664e705c656e9aafa63a5e4a372623b4a9b7d6da163c7f37f61852e
                                                                                                                                • Opcode Fuzzy Hash: 24e17080324f4baa95ee344547522bbb500a6539022f5bbd727bcff285bd27aa
                                                                                                                                • Instruction Fuzzy Hash: 06322D74A05228CFDB65DFA0D898A9DB7F6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D0B0, Relevance: 3.5, APIs: 2, Instructions: 493libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 243558500-0
                                                                                                                                • Opcode ID: 4c25f360056fb251b462d40cbf6db35ab4ca46f9dab75024384082b02336215c
                                                                                                                                • Instruction ID: b3291c50b3ba0cc855a890919d77920a16932ba4846e17f5f080f22ec023cc03
                                                                                                                                • Opcode Fuzzy Hash: 4c25f360056fb251b462d40cbf6db35ab4ca46f9dab75024384082b02336215c
                                                                                                                                • Instruction Fuzzy Hash: C0322C74A05228CFDB65DFA0D898A9DB7F6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D0F5, Relevance: 3.5, APIs: 2, Instructions: 486libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 243558500-0
                                                                                                                                • Opcode ID: 884a73aef3122515756267c44fad2473ea7f50a91a7a0f28334ccacd59e38171
                                                                                                                                • Instruction ID: 6da9ad240a576ef6df30109b4e723794f883f36e87e27c6f20545e1bfe55e0d4
                                                                                                                                • Opcode Fuzzy Hash: 884a73aef3122515756267c44fad2473ea7f50a91a7a0f28334ccacd59e38171
                                                                                                                                • Instruction Fuzzy Hash: 19323C74A05228CFDB65DFA0D898A9DB7F6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D13A, Relevance: 3.5, APIs: 2, Instructions: 479libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 0640D15E
                                                                                                                                • LdrInitializeThunk.NTDLL ref: 0640D70D
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 243558500-0
                                                                                                                                • Opcode ID: 36582703674d495facebca5007fe5398ef9fb076f684632659bb9bc3fce13da7
                                                                                                                                • Instruction ID: b87e70245f8b7e69b04feacad242e47ac47e3b211d684a5959efdfd0827e87de
                                                                                                                                • Opcode Fuzzy Hash: 36582703674d495facebca5007fe5398ef9fb076f684632659bb9bc3fce13da7
                                                                                                                                • Instruction Fuzzy Hash: 39223C74A05228CFDB65DFA0D898A9DB7F6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D17F, Relevance: 2.0, APIs: 1, Instructions: 472libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: c918da66052b78e9114dc7f9f9dd0e87f95789990c70893a73b45a68f9068967
                                                                                                                                • Instruction ID: d99889e434834f26349799830898f81b4ef7db55aac123cbe5158be76c34f802
                                                                                                                                • Opcode Fuzzy Hash: c918da66052b78e9114dc7f9f9dd0e87f95789990c70893a73b45a68f9068967
                                                                                                                                • Instruction Fuzzy Hash: B7223C74A05228CFDB65DFA0D898A9DB7F6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D1C4, Relevance: 2.0, APIs: 1, Instructions: 465libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: 66cf5a87e1810ff28ff0d878030598ed30fa14d155d1f4007fb1fc4b1beb1ba3
                                                                                                                                • Instruction ID: 744d4f414ff47981fa18e92f72bae9aa8a0abfbf23c2b26da90770c6e6f3e5c7
                                                                                                                                • Opcode Fuzzy Hash: 66cf5a87e1810ff28ff0d878030598ed30fa14d155d1f4007fb1fc4b1beb1ba3
                                                                                                                                • Instruction Fuzzy Hash: D4223C74A05228CFDB65DFA0D898A9DB7F6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D209, Relevance: 2.0, APIs: 1, Instructions: 458libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: dea1ccbb61b538485dac5fa1d4838be90df2c1f283b159e8df41ae51ee2fc404
                                                                                                                                • Instruction ID: e6b38f4650ddb7deacf1b2c883e33baa881a27d33b8467a49a426dd2ddcac64e
                                                                                                                                • Opcode Fuzzy Hash: dea1ccbb61b538485dac5fa1d4838be90df2c1f283b159e8df41ae51ee2fc404
                                                                                                                                • Instruction Fuzzy Hash: 5B224B74A05228CFDB65DFA0D898A9DB7F6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D264, Relevance: 1.9, APIs: 1, Instructions: 447libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: b362df44b4f2931bdc40fe4babce8ee7f5253b26c6486397249bc7fd878d10a2
                                                                                                                                • Instruction ID: fe85f6743d6d75efaea8e23dd323d43b6e6f1a73dfa4b9864ebfe5fde3cd7013
                                                                                                                                • Opcode Fuzzy Hash: b362df44b4f2931bdc40fe4babce8ee7f5253b26c6486397249bc7fd878d10a2
                                                                                                                                • Instruction Fuzzy Hash: 01224B74A05228CFDB65DFA0D898A9DB7F6BF48205F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D2A9, Relevance: 1.9, APIs: 1, Instructions: 440libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: 1ab0a8d31daa102cdb385ad922e8c0bc29aca3390deddaf78ae35c4f10ba628f
                                                                                                                                • Instruction ID: efbe45a0c24b4999d8fa80da69560e719937eaf79ad02af2c6d60565b7b35bca
                                                                                                                                • Opcode Fuzzy Hash: 1ab0a8d31daa102cdb385ad922e8c0bc29aca3390deddaf78ae35c4f10ba628f
                                                                                                                                • Instruction Fuzzy Hash: 7A125B74A05228CFDB65DFA0D898A9DB7F6BF48201F1084EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D2EE, Relevance: 1.9, APIs: 1, Instructions: 433libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: 89c8f71016d73e9a83ddbeed62dfad47f7be42fa7cf6843f9e4c7251e7135be3
                                                                                                                                • Instruction ID: e90a0f9ea3684e4251287bc18efa9caa30e151e6a6ac62b57570f17e3cfb3bbb
                                                                                                                                • Opcode Fuzzy Hash: 89c8f71016d73e9a83ddbeed62dfad47f7be42fa7cf6843f9e4c7251e7135be3
                                                                                                                                • Instruction Fuzzy Hash: C5125B74A04228CFDB65DFA0D898A9DB7F6BF48205F1184EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D333, Relevance: 1.9, APIs: 1, Instructions: 426libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: 22f74c72e0b1e616b9a465736c0bfc8590f75bd0f91494df22a419d5de55e344
                                                                                                                                • Instruction ID: 31db3804143ee8ebc79c8053f8a70fbd7ddbd14734c1c22d93ef7aef1dbead6d
                                                                                                                                • Opcode Fuzzy Hash: 22f74c72e0b1e616b9a465736c0bfc8590f75bd0f91494df22a419d5de55e344
                                                                                                                                • Instruction Fuzzy Hash: C7124B74A04228CFDB65DFA0D898A9DB7F6BF48205F1184EAD50AA7344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D37B, Relevance: 1.9, APIs: 1, Instructions: 419libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: 6bd10a95395aef95c8d51314f23e0b1e6e51749b10d1598b72504844829d6ea9
                                                                                                                                • Instruction ID: 450b54acadcab09eba006447fc026937d23d7a5fef758a142b24f2e2d49f449e
                                                                                                                                • Opcode Fuzzy Hash: 6bd10a95395aef95c8d51314f23e0b1e6e51749b10d1598b72504844829d6ea9
                                                                                                                                • Instruction Fuzzy Hash: 2A124B74A05228CFDB65DFA0D898A9DB7F6BF88201F1184EAD50A97344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D3C3, Relevance: 1.9, APIs: 1, Instructions: 412libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: e2b46cb9cfff4383c79afb91ddb20191e38b8f0df35b7c98458502ef4c404390
                                                                                                                                • Instruction ID: 88cb7a9c943e1008f89cc7fe0edb44ca0115c09ec7cad0432c71b615f83bda72
                                                                                                                                • Opcode Fuzzy Hash: e2b46cb9cfff4383c79afb91ddb20191e38b8f0df35b7c98458502ef4c404390
                                                                                                                                • Instruction Fuzzy Hash: DA123A74A04228CFDB65DFA0D898A9DB7F6AF88205F1184EAD50A97344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D40B, Relevance: 1.9, APIs: 1, Instructions: 405libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: 257c1a41ad31e61576e34b117fa4f5dbfab88ea08ed42e7e16f72d22ea35588f
                                                                                                                                • Instruction ID: 9582149285012a71f6aaf6ecad6c2cef7322ea89b605ef0b0f05222d3ff16176
                                                                                                                                • Opcode Fuzzy Hash: 257c1a41ad31e61576e34b117fa4f5dbfab88ea08ed42e7e16f72d22ea35588f
                                                                                                                                • Instruction Fuzzy Hash: 78024974A04228CFDB65DFA0D898A9DB7F6AF88201F1184EAD50A97344CF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D453, Relevance: 1.9, APIs: 1, Instructions: 398libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: beeb3319b0d15a6c797773812aa9f5f5d6280c38e2554855d25ff12966412f07
                                                                                                                                • Instruction ID: 6efe6a7ffeb21365924f6dd3a9b31ba0d100ee87a51525cb7856e831d8dfb0ce
                                                                                                                                • Opcode Fuzzy Hash: beeb3319b0d15a6c797773812aa9f5f5d6280c38e2554855d25ff12966412f07
                                                                                                                                • Instruction Fuzzy Hash: 94024974A04228CFDB65DFB0D898A9DB7F6AF88201F1184EAD50A97344DF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D49B, Relevance: 1.9, APIs: 1, Instructions: 391libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: c872e6494a94dfd6f8432a55422e5573c3fc89879ceed8bca0479f15495f5277
                                                                                                                                • Instruction ID: a9fb5d3e7e606dbc5a49d9faa1e71b11836e55520fbe6d9827d0f935b2499680
                                                                                                                                • Opcode Fuzzy Hash: c872e6494a94dfd6f8432a55422e5573c3fc89879ceed8bca0479f15495f5277
                                                                                                                                • Instruction Fuzzy Hash: 11024974A042288FDB65DFB0D898B9DB7F6AF88201F1184E9D60A97344DF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D4E3, Relevance: 1.9, APIs: 1, Instructions: 384libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: 774ae9fdc9abeba25d041f7e4c6deb1df8fa9a8fcd67c19bb90e8ad1c91048b3
                                                                                                                                • Instruction ID: 99e02c99c0e00f788faf7d33dce50eafb68d0ce583194ced2fdeb2f5cadf5816
                                                                                                                                • Opcode Fuzzy Hash: 774ae9fdc9abeba25d041f7e4c6deb1df8fa9a8fcd67c19bb90e8ad1c91048b3
                                                                                                                                • Instruction Fuzzy Hash: 82024874A042288FDB64DFB0D898B9DB7F6AF88201F1184E9D60A97344DF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D52B, Relevance: 1.9, APIs: 1, Instructions: 377libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: d1785aa35cb061317ad4754cf90fc9710768a15e54c9a08d65f1a75e0d9a0517
                                                                                                                                • Instruction ID: f04a8aa6d6f32c5ebf27f42aa517b2fb8308051e3c0c771bd9e695e3d4a01e55
                                                                                                                                • Opcode Fuzzy Hash: d1785aa35cb061317ad4754cf90fc9710768a15e54c9a08d65f1a75e0d9a0517
                                                                                                                                • Instruction Fuzzy Hash: 1DF13974A042288FDB64DFB4D898B9DB7F6AF88201F1184E9D60A97344DF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D573, Relevance: 1.9, APIs: 1, Instructions: 370libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: 26da393d0fa7cb0451cd3270731c1ee104f52b479e92be0584ed99b935adb6f2
                                                                                                                                • Instruction ID: cdd280b7b33b98dd272f925db017085c93910faf9eda4190947fc620ba31bcc5
                                                                                                                                • Opcode Fuzzy Hash: 26da393d0fa7cb0451cd3270731c1ee104f52b479e92be0584ed99b935adb6f2
                                                                                                                                • Instruction Fuzzy Hash: 37F13874A042288FDB64DFB4D898B9DB7F6AF88201F1184E9D60A97344DF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640D5BB, Relevance: 1.9, APIs: 1, Instructions: 363libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: InitializeThunk
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                • Opcode ID: 2058bb8c1dc769c99a772b90cecd2e98c29a62872f8911f421982794a367ca60
                                                                                                                                • Instruction ID: 7beb70dce483b8f51493bfbbbcee1ed541b7f37c6ca067dc3481f0d806140af1
                                                                                                                                • Opcode Fuzzy Hash: 2058bb8c1dc769c99a772b90cecd2e98c29a62872f8911f421982794a367ca60
                                                                                                                                • Instruction Fuzzy Hash: DCF13A74A042288FDB64DFB4D898B9DB7F6AF88201F1184E9D50A97344DF349E85CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640B0CD, Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0640B213
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: NameUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2645101109-0
                                                                                                                                • Opcode ID: 31ff4824b7815a0a18c0dee7228f6513a1cb06ff91d3cce1aa5bbcbb39ee1a59
                                                                                                                                • Instruction ID: c733f614a4f730366aed5b40c1016444b000b1f99023ef9d35b140ab6496fe75
                                                                                                                                • Opcode Fuzzy Hash: 31ff4824b7815a0a18c0dee7228f6513a1cb06ff91d3cce1aa5bbcbb39ee1a59
                                                                                                                                • Instruction Fuzzy Hash: C75106B5E002288FEB54CFA9C889BDDBBB1FF48314F15852AD819BB390D7759844CB94
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06408E0C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0640B213
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: NameUser
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2645101109-0
                                                                                                                                • Opcode ID: ce6b551f7a589217cfd236ba665f583728bb436ea884d7370f1b24fb7ce90558
                                                                                                                                • Instruction ID: 04cdcf6ac003858a5e4b957d4a09972144dc167eed7c2dd793fda148db4fc23a
                                                                                                                                • Opcode Fuzzy Hash: ce6b551f7a589217cfd236ba665f583728bb436ea884d7370f1b24fb7ce90558
                                                                                                                                • Instruction Fuzzy Hash: 3651F474D042288FEB58CFA9C888BDEBBB1FF48314F15852AD819BB390D7759844CB95
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01565184, Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015652A2
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535777780.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateWindow
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 716092398-0
                                                                                                                                • Opcode ID: 2ff2e39c9c87d7f068673359bc2910fc21d111704793a5a4cb8f53820e985d34
                                                                                                                                • Instruction ID: 45b3ab14d7fae3715535b8b3364be30b5f2ae01f2b70fa2b192f90b80fdac283
                                                                                                                                • Opcode Fuzzy Hash: 2ff2e39c9c87d7f068673359bc2910fc21d111704793a5a4cb8f53820e985d34
                                                                                                                                • Instruction Fuzzy Hash: 6051E0B1D103099FDF14CFA9C884ADEBFB5BF88354F24812AE819AB210D7749885CF90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01565190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015652A2
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535777780.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateWindow
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 716092398-0
                                                                                                                                • Opcode ID: 758cdb07d2432bd3fcf58cc38e5216d0511f794dda7d4496bc737c0554560984
                                                                                                                                • Instruction ID: e2e214f3c6ebe635492a08d56ebba28e24d774218655b948b0954ac8d811e938
                                                                                                                                • Opcode Fuzzy Hash: 758cdb07d2432bd3fcf58cc38e5216d0511f794dda7d4496bc737c0554560984
                                                                                                                                • Instruction Fuzzy Hash: 9041CFB1D103099FDF14CF99C884ADEBBF5BF88354F24852AE919AB210D774A885CF90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01566964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 01567CF9
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535777780.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: CallProcWindow
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2714655100-0
                                                                                                                                • Opcode ID: 1ab82740c4a0faf25ee9e1a3932e6b1e2e1c45d7f70e230187a3f9f980c6ead2
                                                                                                                                • Instruction ID: c9fe998c71e3a4d3b3a0c0f7fb09065e78cde22d34acef72bf72a3fe43ee080d
                                                                                                                                • Opcode Fuzzy Hash: 1ab82740c4a0faf25ee9e1a3932e6b1e2e1c45d7f70e230187a3f9f980c6ead2
                                                                                                                                • Instruction Fuzzy Hash: 0F413BB59002498FDB14CF99C488AAABBF9FF8C318F148859D519AB325D734A941CFA0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0640B528, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • DeleteFileW.KERNELBASE(00000000), ref: 0640B5F8
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DeleteFile
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4033686569-0
                                                                                                                                • Opcode ID: 8ade5436a00720d3b6e0a3c51dbd5727fafe1b3c16497cd9342097784b0c7a60
                                                                                                                                • Instruction ID: 4ed13210c797314233946cda721a92e69fd0a3fed44b160941052e6976dc56a6
                                                                                                                                • Opcode Fuzzy Hash: 8ade5436a00720d3b6e0a3c51dbd5727fafe1b3c16497cd9342097784b0c7a60
                                                                                                                                • Instruction Fuzzy Hash: FD31AB71E0021A8FDB00CFA9C845BDEBBF4EF48314F04846AD848A7380D738E905CBA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06403D76, Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryA.KERNELBASE(?), ref: 06403E4A
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoad
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                • Opcode ID: 54554eb8757bdc3ce01c1f60d9ae8cef7971433faf3da6ad06c79c21881627cb
                                                                                                                                • Instruction ID: 4b25563c999242609dc70a8648249d82262b7e396bfe7a43621b7be0f475fe35
                                                                                                                                • Opcode Fuzzy Hash: 54554eb8757bdc3ce01c1f60d9ae8cef7971433faf3da6ad06c79c21881627cb
                                                                                                                                • Instruction Fuzzy Hash: C43127B0D1425A8FEB55CFA9C88579EBFF1EF08314F14862AE815A7380D7749885CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06403D80, Relevance: 1.6, APIs: 1, Instructions: 86libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryA.KERNELBASE(?), ref: 06403E4A
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoad
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                • Opcode ID: 9d06e2ba9b2065df0b783b21de8757a6b69845d148b562ad44b90d68c6db8b3b
                                                                                                                                • Instruction ID: 38e6ac405f85224b617ecf1b8f9ca4162927fbfa1d8c41df8aad5dc32122263e
                                                                                                                                • Opcode Fuzzy Hash: 9d06e2ba9b2065df0b783b21de8757a6b69845d148b562ad44b90d68c6db8b3b
                                                                                                                                • Instruction Fuzzy Hash: EB3135B0D1425A8FEB55CFA9C885B9EBFF1BF08314F14862AE815A7380D7749881CF91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01566D71, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01566DFF
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535777780.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                • Opcode ID: ef92425fb6ac452f91f9cd187c934d59a45e045f3d14c430ef7ae38218101d95
                                                                                                                                • Instruction ID: e9359b1113e12515f5920571567870b6e722fccdca644d28420f2702a7deded0
                                                                                                                                • Opcode Fuzzy Hash: ef92425fb6ac452f91f9cd187c934d59a45e045f3d14c430ef7ae38218101d95
                                                                                                                                • Instruction Fuzzy Hash: 0F21E0B59002489FDB10CFA9D984AEEBBF8FB48324F14845AE958A7210D374A954CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01566D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01566DFF
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535777780.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                • Opcode ID: d0c43ab54c863bf89e456fed86d481cb769d3a3db20b6778a141e1d99fc5e91d
                                                                                                                                • Instruction ID: 5f4fd0d557c783c7aed0664ef9ed90c0089cf05174b4ebacce9632292a987e13
                                                                                                                                • Opcode Fuzzy Hash: d0c43ab54c863bf89e456fed86d481cb769d3a3db20b6778a141e1d99fc5e91d
                                                                                                                                • Instruction Fuzzy Hash: B521C2B59002089FDB10CFAAD984ADEFBF8FB48324F14841AE958A7310D374A954CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 06408E18, Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • DeleteFileW.KERNELBASE(00000000), ref: 0640B5F8
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538273846.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: DeleteFile
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4033686569-0
                                                                                                                                • Opcode ID: a9fecd5e6975f90240812be95d31e4369e733f87467876ba0c7a92918b1cc87a
                                                                                                                                • Instruction ID: c70262bb2a6efc08dee91f6f7d276d27fc31587c6b7f6c0fe0d8f2833c706673
                                                                                                                                • Opcode Fuzzy Hash: a9fecd5e6975f90240812be95d31e4369e733f87467876ba0c7a92918b1cc87a
                                                                                                                                • Instruction Fuzzy Hash: D12144B5C0062A8BDB10CF9AC5447EEFBF4EB48324F04856AD818B7640D778A944CFE5
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0156BDE8, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 0156BE72
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535777780.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: EncodePointer
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2118026453-0
                                                                                                                                • Opcode ID: 7ea125863679702e359e8e450a7b7c89d2e910decea3b1bdd65a16875e558b72
                                                                                                                                • Instruction ID: 8f12b0492f2d39842da967ebe1c79a9e7b0013f468a3834e48ac944a408655ab
                                                                                                                                • Opcode Fuzzy Hash: 7ea125863679702e359e8e450a7b7c89d2e910decea3b1bdd65a16875e558b72
                                                                                                                                • Instruction Fuzzy Hash: 2C216A71E453098FDB50DFAAC9497CEBBF8FB44314F24882AD605A7601D7386945CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01562F30, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 01564216
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535777780.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: HandleModule
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                • Opcode ID: 709caf5e2eac61c4da5543d1f5d9dea4abc5b80792001744164e852aba473400
                                                                                                                                • Instruction ID: a4e22c0a53401fb0879fbe8572d2d7055d5bb51f9faf2b0f762c8c0416ced922
                                                                                                                                • Opcode Fuzzy Hash: 709caf5e2eac61c4da5543d1f5d9dea4abc5b80792001744164e852aba473400
                                                                                                                                • Instruction Fuzzy Hash: 212158B1C042498FDB10CFAAD444BDEBBF8BF89224F14886AC559AB600C378A545CFA0
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 068D66C0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,068D66A1,00000800), ref: 068D6732
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538521943.00000000068D0000.00000040.00000010.sdmp, Offset: 068D0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoad
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                • Opcode ID: 1537aeea292e69b10410dc68a56cd9ef1ae20adfd66888ac8daf15d7bd513cbe
                                                                                                                                • Instruction ID: 6519377cfeaaea7e05f3f9e9467a7cfba98dce6022b598874721cc514383e2f1
                                                                                                                                • Opcode Fuzzy Hash: 1537aeea292e69b10410dc68a56cd9ef1ae20adfd66888ac8daf15d7bd513cbe
                                                                                                                                • Instruction Fuzzy Hash: 111114BAD002099FCB10CF99D948BDEFBF5AF88314F14892AD559B7600C379A945CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 068D58D4, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,068D66A1,00000800), ref: 068D6732
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538521943.00000000068D0000.00000040.00000010.sdmp, Offset: 068D0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: LibraryLoad
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                • Opcode ID: ee59db63b1b57b4c21efa01dae7077079db00391abaa95a56310125a98b47a9c
                                                                                                                                • Instruction ID: be4d91289e25353650ebab9ec2b5dde2f71242f6be0d3f90f981d20f282193b7
                                                                                                                                • Opcode Fuzzy Hash: ee59db63b1b57b4c21efa01dae7077079db00391abaa95a56310125a98b47a9c
                                                                                                                                • Instruction Fuzzy Hash: 911114B6D0020D9FDB10CF9AD848ADEFBF4EB88314F14852EE519A7600D774A945CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0156BDF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 0156BE72
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535777780.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: EncodePointer
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2118026453-0
                                                                                                                                • Opcode ID: 7fe35ed9916ab0775fadc2dcfff2011e70dd32c443bf53d6e9476fb37c05c8b0
                                                                                                                                • Instruction ID: f1b08b1cc53932a01bd3b4000639cfb3514f151818b0cae60cf3c9c371538745
                                                                                                                                • Opcode Fuzzy Hash: 7fe35ed9916ab0775fadc2dcfff2011e70dd32c443bf53d6e9476fb37c05c8b0
                                                                                                                                • Instruction Fuzzy Hash: 1A116D71E413098FDB50DFAAC94879EBBF8FB45314F24892AD605A7600C7395944CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 015641AA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 01564216
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535777780.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: HandleModule
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                • Opcode ID: c792cd832733ca732b9c5ae3fa177bb0fdaf965f9fe361403f3da9d0fb134779
                                                                                                                                • Instruction ID: 63198537593544a274e91003740ee3b03c51b71d158b97dc628115b5951ac391
                                                                                                                                • Opcode Fuzzy Hash: c792cd832733ca732b9c5ae3fa177bb0fdaf965f9fe361403f3da9d0fb134779
                                                                                                                                • Instruction Fuzzy Hash: 2A11F3B5C006498FDB20CF9AD444ADEFBF8FF49214F14845AD519B7600C374A545CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 01562F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 01564216
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535777780.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: HandleModule
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                • Opcode ID: 9a51ac3fba72d739c1c495ef57a354e600f20fe7a0fd8f786879059c06be243d
                                                                                                                                • Instruction ID: 2c5b37b7d198155848627f6c97897c60d955eb2ea21c3290baefdf8e71221739
                                                                                                                                • Opcode Fuzzy Hash: 9a51ac3fba72d739c1c495ef57a354e600f20fe7a0fd8f786879059c06be243d
                                                                                                                                • Instruction Fuzzy Hash: 591104B5D006498FDB20CF9AD448BDEFBF8FB89214F14842AD529BB600C374A545CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 068D9090, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • OleInitialize.OLE32(00000000), ref: 068DA065
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538521943.00000000068D0000.00000040.00000010.sdmp, Offset: 068D0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: Initialize
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2538663250-0
                                                                                                                                • Opcode ID: bc3ebef6611fc5ee26121c5ae12f0ade371f4419ffc69a591aac5c69f3000397
                                                                                                                                • Instruction ID: 05b6ed6a8c28d2f99582caebfc7cdbbd2e497167f37283c295b130c076d5fd84
                                                                                                                                • Opcode Fuzzy Hash: bc3ebef6611fc5ee26121c5ae12f0ade371f4419ffc69a591aac5c69f3000397
                                                                                                                                • Instruction Fuzzy Hash: 321115B5900248CFCB60CF99D989BDEBBF8EB48364F248859D559B7600C375A944CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 068DA008, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                                Download Yara Rule
                                                                                                                                APIs
                                                                                                                                • OleInitialize.OLE32(00000000), ref: 068DA065
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.538521943.00000000068D0000.00000040.00000010.sdmp, Offset: 068D0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID: Initialize
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 2538663250-0
                                                                                                                                • Opcode ID: e479d1fcca08078b067e6353dc093bae92ee1a1b5245989561491e3acc8c8ab4
                                                                                                                                • Instruction ID: d177db22f489d0987c91e5b813a91a82a22f56edd1242418f2e95f797c90eff4
                                                                                                                                • Opcode Fuzzy Hash: e479d1fcca08078b067e6353dc093bae92ee1a1b5245989561491e3acc8c8ab4
                                                                                                                                • Instruction Fuzzy Hash: AC1103B5900648CFCB20CF99D488BDEFBF8AB48324F248859D559A7700D375A944CFA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 014FD450, Relevance: .1, Instructions: 75COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535630799.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 28b50f867eb392287048fdba703429664fd2b9341d7bd01e08602c9a0e3a8c14
                                                                                                                                • Instruction ID: da1c62361a09ea5d69a2a159f824844f364aba7c1c3707a22fb50b7da4671027
                                                                                                                                • Opcode Fuzzy Hash: 28b50f867eb392287048fdba703429664fd2b9341d7bd01e08602c9a0e3a8c14
                                                                                                                                • Instruction Fuzzy Hash: BD214871904200DFDB01DF94D9C4B67BF65FB84324F2485AEDA050B366C336E846CBA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0150D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535659923.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 116d2a89e385235ead486c4ad832dc83fabe87d1c4ec3a5037ccc8d1da5c351b
                                                                                                                                • Instruction ID: b9b34e6a30d86d8108b6e2598e6ab576290c05cf43a10d72b4a6be08b0e6cec7
                                                                                                                                • Opcode Fuzzy Hash: 116d2a89e385235ead486c4ad832dc83fabe87d1c4ec3a5037ccc8d1da5c351b
                                                                                                                                • Instruction Fuzzy Hash: BD212571504204DFDB12CFD4D9D4B16BBB5FB84364F24C9A9D80D4F286D736D846CA61
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 0150D006, Relevance: .1, Instructions: 62COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535659923.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 7fc01bcd013068c0d319d55f36d7562b269125124c6e3fa5cff14814f1eaa3d6
                                                                                                                                • Instruction ID: 99475af102d37d2f2d3553eb68bdf8873ca8f8f576d065891809604252d3554c
                                                                                                                                • Opcode Fuzzy Hash: 7fc01bcd013068c0d319d55f36d7562b269125124c6e3fa5cff14814f1eaa3d6
                                                                                                                                • Instruction Fuzzy Hash: 2F217F755093808FCB13CFA4D990B15BF71FB46214F28C5DAD8498F6A7C33A984ACB62
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 014FD44B, Relevance: .1, Instructions: 56COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000002.535630799.00000000014FD000.00000040.00000001.sdmp, Offset: 014FD000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 26050ac9a710059c9b477200a138371d2ae940eb4f2ea16139302a11668e0a51
                                                                                                                                • Instruction ID: e33e43e4f13d0ce403d20c4738be8fa8cf944a0388d0c43a96cccc5edd03414d
                                                                                                                                • Opcode Fuzzy Hash: 26050ac9a710059c9b477200a138371d2ae940eb4f2ea16139302a11668e0a51
                                                                                                                                • Instruction Fuzzy Hash: 8611AF76804280CFDB16CF54D5C4B16BF71FB84324F2486AED9050B766C336D45ACBA1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Non-executed Functions

                                                                                                                                Analysis Process: NXLun.exe PID: 6440 Parent PID: 3352 NXLun.exeCOMMON

                                                                                                                                Executed Functions

                                                                                                                                Function 017A16D8, Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000D.00000002.345182285.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $,am
                                                                                                                                • API String ID: 0-1889935346
                                                                                                                                • Opcode ID: 30a20b8f2f40f12eb9a2769180388a22c39c02d87da59cf9939b31c7fb1b8149
                                                                                                                                • Instruction ID: 144c61f4c1a7f7e29ca87a128450b09fa4c98750daee07dab1dc98fc53607ae1
                                                                                                                                • Opcode Fuzzy Hash: 30a20b8f2f40f12eb9a2769180388a22c39c02d87da59cf9939b31c7fb1b8149
                                                                                                                                • Instruction Fuzzy Hash: 9E212770B041049FDB55EBB4D8586ADBBFDDBC9204F5045A9D709DB2A4EF305D02CBA2
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 017A0728, Relevance: .6, Instructions: 623COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000D.00000002.345182285.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 0efc33457ddf970f8944381531c3e40017f36375a4c2e08662670323e947c186
                                                                                                                                • Instruction ID: 2fe72cb07cad6c3ffe1eb2271c47b444ec359f7196d163fe451810a7a9863177
                                                                                                                                • Opcode Fuzzy Hash: 0efc33457ddf970f8944381531c3e40017f36375a4c2e08662670323e947c186
                                                                                                                                • Instruction Fuzzy Hash: 8381F335A003448FDB259FB4C4186AEBBF6EFC8314F15CA69E5426B264DF75AC81CB81
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 017A0F38, Relevance: .5, Instructions: 510COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000D.00000002.345182285.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: fa72e0100f0d9d47aa4fdc51f0bc3464987b99f1b200caaacf1fd3ed60d2af9c
                                                                                                                                • Instruction ID: c67e7adafc276c1ccf4b717c27d34696f264024a34cc497b005919753261beb3
                                                                                                                                • Opcode Fuzzy Hash: fa72e0100f0d9d47aa4fdc51f0bc3464987b99f1b200caaacf1fd3ed60d2af9c
                                                                                                                                • Instruction Fuzzy Hash: 2D226E30704601DFEB24DF24E494A3AB7A6EBC8315F949A6CD50687389DF76EC42CB91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 017A0E31, Relevance: .1, Instructions: 88COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000D.00000002.345182285.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 9f86a706cfbc911b8142b6afc2a05d639fd9333327b36a87b5adc90fa1a17ed0
                                                                                                                                • Instruction ID: 48a8a71923b7e772c4a4029895b98581190709798185f43a6c811e1cb79dfad4
                                                                                                                                • Opcode Fuzzy Hash: 9f86a706cfbc911b8142b6afc2a05d639fd9333327b36a87b5adc90fa1a17ed0
                                                                                                                                • Instruction Fuzzy Hash: FF3159347042108FC759AB78C46882D33E5AFD9A1931208BDE606CF3B5DB36DC42CB91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 017A0E40, Relevance: .1, Instructions: 81COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000D.00000002.345182285.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 4e1fc8b6e0e85a8dd0dbf60d8bce09cf59e0b81e9e896fc893592200060bdc30
                                                                                                                                • Instruction ID: 0c74ec7ddff857f395420d1a2c0b641f2f955f8c9082d714c53b0a681cedb9fd
                                                                                                                                • Opcode Fuzzy Hash: 4e1fc8b6e0e85a8dd0dbf60d8bce09cf59e0b81e9e896fc893592200060bdc30
                                                                                                                                • Instruction Fuzzy Hash: F521F6747042108FC758AB78C46892D73E6AFD9A1936209BCE606CF7B5DB32DC42CB91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 017A17F8, Relevance: .0, Instructions: 47COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000D.00000002.345182285.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: fa84611a71726ba84f797be8b7e0890033f6eba4d47bfb47a82d6f317e5e8736
                                                                                                                                • Instruction ID: 1e0cdb8f3d5251711750abd3f2ab881317abb14966f4d58bc2568aa0f1c75c77
                                                                                                                                • Opcode Fuzzy Hash: fa84611a71726ba84f797be8b7e0890033f6eba4d47bfb47a82d6f317e5e8736
                                                                                                                                • Instruction Fuzzy Hash: ED118275E002099FCB04DFB9D8449AEFBB9EF8D310F55866AE51997211EB35AD00CB80
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 017A1808, Relevance: .0, Instructions: 44COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000D.00000002.345182285.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 65de15019f27884b2df5fe991ec96ddcfcecb888fb04517b6c44410487a9fa68
                                                                                                                                • Instruction ID: 1f3665306ba8eb3065230d3b93bfec407c3a9d567f80464dec0317a6c5cbfd23
                                                                                                                                • Opcode Fuzzy Hash: 65de15019f27884b2df5fe991ec96ddcfcecb888fb04517b6c44410487a9fa68
                                                                                                                                • Instruction Fuzzy Hash: 68016D75E002059FCB40DFA9D8848AFF7B9FF8D300B11866AE51497220EB35AD11CB80
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 017A0480, Relevance: .0, Instructions: 43COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000D.00000002.345182285.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: e9d0be0d72417ea90c7da39b1b0653b8949ea6bf0942ab6d889f42fe9ca1c724
                                                                                                                                • Instruction ID: 6e4e1ca240b9e4cba0f28b115b493b67b83e2418514290864d49b0488fd1d584
                                                                                                                                • Opcode Fuzzy Hash: e9d0be0d72417ea90c7da39b1b0653b8949ea6bf0942ab6d889f42fe9ca1c724
                                                                                                                                • Instruction Fuzzy Hash: A401A460D0E3995FCB129B74AC18099BFB47AC7210F844EFBE5C5D7167D264491883A3
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 017A0B9C, Relevance: .0, Instructions: 23COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000D.00000002.345182285.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 13824d768e311b457ce92dfbee6521fc48ea56bc4c77e66269f322c72e59f46c
                                                                                                                                • Instruction ID: 2d94d8f8899e7ba90b0ce909681da397d47a13ba71a81f652489857fbd618be8
                                                                                                                                • Opcode Fuzzy Hash: 13824d768e311b457ce92dfbee6521fc48ea56bc4c77e66269f322c72e59f46c
                                                                                                                                • Instruction Fuzzy Hash: 31F01C719443158FDB14DFB4C1587ADBBF0AF88319F250D99E102A7291DBB59DC0CB90
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 017A04A8, Relevance: .0, Instructions: 17COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000D.00000002.345182285.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: fedc59cac7e52ee7cff508f945cf751307816e0bdf66ad8a8a1a336d6264238f
                                                                                                                                • Instruction ID: eb210982778cf670d2246dcf4f2b5dfa325388ea84726c175cab2bc15779223f
                                                                                                                                • Opcode Fuzzy Hash: fedc59cac7e52ee7cff508f945cf751307816e0bdf66ad8a8a1a336d6264238f
                                                                                                                                • Instruction Fuzzy Hash: EFD017B1D00229AF8B80EFB899091DEBBF8EA08250B0045A6D91AE3200F2704A108BD1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Non-executed Functions

                                                                                                                                Analysis Process: NXLun.exe PID: 1240 Parent PID: 3352 NXLun.exeCOMMON

                                                                                                                                Executed Functions

                                                                                                                                Function 011E16D8, Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.358539787.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: $,am
                                                                                                                                • API String ID: 0-1889935346
                                                                                                                                • Opcode ID: 4a306c3742676d957bfcd55d57d593f2b771f53c86b2cfbc8584436e7ec690fa
                                                                                                                                • Instruction ID: d5c5cb67b450261e62a96586e12550e30288311b34f69274c533db9212a92e12
                                                                                                                                • Opcode Fuzzy Hash: 4a306c3742676d957bfcd55d57d593f2b771f53c86b2cfbc8584436e7ec690fa
                                                                                                                                • Instruction Fuzzy Hash: 38110670A042046FCB19FBB4D4646AE7BF9DFC5604F1044B9D605EB295EF305D068B92
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 011E0728, Relevance: .3, Instructions: 302COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.358539787.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 81981f75775d1d3b373fa3b8ae76558a1fb23cdd9972354486760e7a4ec389b9
                                                                                                                                • Instruction ID: 9207ea103f31ec4dad148ce33fc7a431db39576bb989975029543d274b3591a8
                                                                                                                                • Opcode Fuzzy Hash: 81981f75775d1d3b373fa3b8ae76558a1fb23cdd9972354486760e7a4ec389b9
                                                                                                                                • Instruction Fuzzy Hash: 7C314B71A043888FEB1ADFB4D4182D97FF2EF89314F058499D145AB2A1DB749DC5CB50
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 011E08F0, Relevance: .2, Instructions: 190COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.358539787.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 58c118253abe6e11b5b29d4629eefa14e5ebb14d21372fd4990e5c2a69f355d7
                                                                                                                                • Instruction ID: 020098bc554c620013f130ec95bd8cf2fe9b60215529fcd72c8e89767f549aca
                                                                                                                                • Opcode Fuzzy Hash: 58c118253abe6e11b5b29d4629eefa14e5ebb14d21372fd4990e5c2a69f355d7
                                                                                                                                • Instruction Fuzzy Hash: EC71C374B006448FDB19DFB5D8186ADBBE3EF88304F158929D506AB3A4DF71AC85CB40
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 011E0E31, Relevance: .1, Instructions: 88COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.358539787.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 17e8d7987b0aeece9e2e52638a3f7a80a9964ab1c8732a8672a79b7f159f7d0a
                                                                                                                                • Instruction ID: 3f39f6c0a5fdc370379e969824f50cc4085019d2040106587e36c6e20a4ee2a1
                                                                                                                                • Opcode Fuzzy Hash: 17e8d7987b0aeece9e2e52638a3f7a80a9964ab1c8732a8672a79b7f159f7d0a
                                                                                                                                • Instruction Fuzzy Hash: C531F6747042108FC759ABB8C46892D37E5AFD9A1931208ADE606CF7B5EB36DC42CB91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 011E0E40, Relevance: .1, Instructions: 81COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.358539787.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 18aa76fee1b5b0ae162278eb545ff43e7ff99c0820fff5d1fcd664098e7866f2
                                                                                                                                • Instruction ID: 696eebf47901cee7d2fcdf26de6dcc302b7716da6eaed75731119fd1ffdfdb1f
                                                                                                                                • Opcode Fuzzy Hash: 18aa76fee1b5b0ae162278eb545ff43e7ff99c0820fff5d1fcd664098e7866f2
                                                                                                                                • Instruction Fuzzy Hash: 5D21C7747146108FC758AB78C46892D33E5AFD9A1931208ADE606CF7B5DF32DC42CB91
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 011E1808, Relevance: .0, Instructions: 44COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.358539787.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: b2c9d594194872d8ec489e27a3d11eacf696d6c3cf566bce298e30ef1ae9d149
                                                                                                                                • Instruction ID: f46d83cd158c446378d601814538f2dccafe41ae369977a3567332c3f3dc460b
                                                                                                                                • Opcode Fuzzy Hash: b2c9d594194872d8ec489e27a3d11eacf696d6c3cf566bce298e30ef1ae9d149
                                                                                                                                • Instruction Fuzzy Hash: AC019276E002059FCB04EFB8D844DAEF7F5FF8D200711866AE514D7224E730A945CB80
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 011E0498, Relevance: .0, Instructions: 24COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.358539787.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: e349e44599a5198e5799f003bb8dae4d3f6f2dbf0edad27e66d96dfc75619a11
                                                                                                                                • Instruction ID: c53f89fb9d148c60f7171c55c53155b3df1853cf90582aad45de81859ed93754
                                                                                                                                • Opcode Fuzzy Hash: e349e44599a5198e5799f003bb8dae4d3f6f2dbf0edad27e66d96dfc75619a11
                                                                                                                                • Instruction Fuzzy Hash: 53E0D8B1C0A35C9F9B01DBB955081D9BFF4EE0A250B1040FAD959E7112E3708B09CBD2
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 011E0B9C, Relevance: .0, Instructions: 23COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.358539787.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 1ddd7f5ba6a778a37854fe0c80e05a6719a23c6ddedad91c00f15805cb0cfc8d
                                                                                                                                • Instruction ID: b04246f2e7614c7b8b4a812d296a8cee54a5bc3f769b270e5361eee7c2a0fba4
                                                                                                                                • Opcode Fuzzy Hash: 1ddd7f5ba6a778a37854fe0c80e05a6719a23c6ddedad91c00f15805cb0cfc8d
                                                                                                                                • Instruction Fuzzy Hash: 90F01C70A006158FDB18DFA4C05C7AD7BF0BF4C319F150899E142AB2A1CBB59D84CB50
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 011E04A8, Relevance: .0, Instructions: 17COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.358539787.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: c7419a4e7079439cb72277af0a438f375bad623e75e53c3fb77513eb1054a65b
                                                                                                                                • Instruction ID: 060d7f530bd79908b6adbb2549480ed528bd50564456125682da876242802f2a
                                                                                                                                • Opcode Fuzzy Hash: c7419a4e7079439cb72277af0a438f375bad623e75e53c3fb77513eb1054a65b
                                                                                                                                • Instruction Fuzzy Hash: 47D067B1D00229AF8B40EFF9AA091DEBBF8EA08250B1145A6D919E7210E7705A148BD1
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Non-executed Functions