Loading ...

Play interactive tourEdit tour

Windows Analysis Report Dgc1mwB234

Overview

General Information

Sample Name:Dgc1mwB234 (renamed file extension from none to exe)
Analysis ID:508639
MD5:5dc1d41e2f9969d85896921f7b4ae261
SHA1:8dae6eb305ead57eeddfdecbf34cca61af653973
SHA256:2a95fede08d035e26d8a261c58359901344d23395094bd51f32e868964d61634
Tags:32exeNanoCoretrojan
Infos:

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Dgc1mwB234.exe (PID: 6408 cmdline: 'C:\Users\user\Desktop\Dgc1mwB234.exe' MD5: 5DC1D41E2F9969D85896921F7B4AE261)
    • schtasks.exe (PID: 6688 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CXFxEHIAOoJFws' /XML 'C:\Users\user\AppData\Local\Temp\tmpC9C9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6720 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "dcf3fee6-c103-45ee-a2f0-f8afaa78", "Group": "A New TIme Has Come", "Domain1": "newme122.3utilities.com", "Domain2": "newme1122.3utilities.com", "Port": 8822, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.253245800.0000000002801000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xfe305:$x1: NanoCore.ClientPluginHost
    • 0xfe342:$x2: IClientNetworkHost
    • 0x101e75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfe06d:$a: NanoCore
      • 0xfe07d:$a: NanoCore
      • 0xfe2b1:$a: NanoCore
      • 0xfe2c5:$a: NanoCore
      • 0xfe305:$a: NanoCore
      • 0xfe0cc:$b: ClientPlugin
      • 0xfe2ce:$b: ClientPlugin
      • 0xfe30e:$b: ClientPlugin
      • 0xfe1f3:$c: ProjectData
      • 0xfebfa:$d: DESCrypto
      • 0x1065c6:$e: KeepAlive
      • 0x1045b4:$g: LogClientMessage
      • 0x1007af:$i: get_Connected
      • 0xb5b32:$j: #=q
      • 0xfef30:$j: #=q
      • 0xfef60:$j: #=q
      • 0xfef7c:$j: #=q
      • 0xfefac:$j: #=q
      • 0xfefc8:$j: #=q
      • 0xfefe4:$j: #=q
      • 0xff014:$j: #=q
      00000000.00000002.254807423.0000000003B0F000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1013d:$x1: NanoCore.ClientPluginHost
      • 0x1017a:$x2: IClientNetworkHost
      • 0x13cad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 3 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Dgc1mwB234.exe.38ef178.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.Dgc1mwB234.exe.38ef178.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      0.2.Dgc1mwB234.exe.38ef178.2.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.Dgc1mwB234.exe.38ef178.2.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        0.2.Dgc1mwB234.exe.2807aac.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Click to see the 4 entries

          Sigma Overview

          AV Detection:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6720, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          E-Banking Fraud:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6720, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Dgc1mwB234.exe' , ParentImage: C:\Users\user\Desktop\Dgc1mwB234.exe, ParentProcessId: 6408, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6720
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Dgc1mwB234.exe' , ParentImage: C:\Users\user\Desktop\Dgc1mwB234.exe, ParentProcessId: 6408, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6720

          Stealing of Sensitive Information:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6720, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Remote Access Functionality:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6720, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0.2.Dgc1mwB234.exe.38ef178.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "dcf3fee6-c103-45ee-a2f0-f8afaa78", "Group": "A New TIme Has Come", "Domain1": "newme122.3utilities.com", "Domain2": "newme1122.3utilities.com", "Port": 8822, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Dgc1mwB234.exeVirustotal: Detection: 53%Perma Link
          Antivirus detection for URL or domainShow sources
          Source: newme122.3utilities.comAvira URL Cloud: Label: phishing
          Source: newme1122.3utilities.comAvira URL Cloud: Label: phishing
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0.2.Dgc1mwB234.exe.38ef178.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Dgc1mwB234.exe.38ef178.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254807423.0000000003B0F000.00000004.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: Dgc1mwB234.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\CXFxEHIAOoJFws.exeJoe Sandbox ML: detected
          Source: Dgc1mwB234.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: Dgc1mwB234.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: newme1122.3utilities.com
          Source: Malware configuration extractorURLs: newme122.3utilities.com
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
          Source: Joe Sandbox ViewIP Address: 23.105.131.228 23.105.131.228
          Source: global trafficTCP traffic: 192.168.2.5:49778 -> 23.105.131.228:8822
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Dgc1mwB234.exe, 00000000.00000002.253245800.0000000002801000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Dgc1mwB234.exe, 00000000.00000003.239894261.0000000004BE9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Dgc1mwB234.exe, 00000000.00000003.240273446.0000000004BED000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
          Source: Dgc1mwB234.exe, 00000000.00000003.252140639.0000000004BE0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk
          Source: Dgc1mwB234.exe, 00000000.00000003.252140639.0000000004BE0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlde
          Source: Dgc1mwB234.exe, 00000000.00000003.235069123.0000000004BFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Dgc1mwB234.exe, 00000000.00000003.235043877.0000000004BFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-u
          Source: Dgc1mwB234.exe, 00000000.00000003.235103191.0000000004BFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
          Source: Dgc1mwB234.exe, 00000000.00000003.236789899.0000000004BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Dgc1mwB234.exe, 00000000.00000003.236789899.0000000004BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn#
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Dgc1mwB234.exe, 00000000.00000003.236772569.0000000004C1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn7
          Source: Dgc1mwB234.exe, 00000000.00000003.236853218.0000000004C1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnN
          Source: Dgc1mwB234.exe, 00000000.00000003.236789899.0000000004BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnate
          Source: Dgc1mwB234.exe, 00000000.00000003.236772569.0000000004C1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cng
          Source: Dgc1mwB234.exe, 00000000.00000003.236772569.0000000004C1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-g
          Source: Dgc1mwB234.exe, 00000000.00000003.236982143.0000000004BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnngH
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmp, Dgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Dgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Negr
          Source: Dgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-e
          Source: Dgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b
          Source: Dgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Dgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/k
          Source: Dgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/no
          Source: Dgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
          Source: Dgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/y
          Source: Dgc1mwB234.exe, 00000000.00000003.235043877.0000000004BFB000.00000004.00000001.sdmp, Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Dgc1mwB234.exe, 00000000.00000003.235043877.0000000004BFB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.combli
          Source: Dgc1mwB234.exe, 00000000.00000003.235094479.0000000004C04000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comblix5M
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Dgc1mwB234.exe, 00000000.00000003.236089540.0000000004BE6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krre
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Dgc1mwB234.exe, 00000000.00000003.235298130.0000000004BFB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcm
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: newme122.3utilities.com

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0.2.Dgc1mwB234.exe.38ef178.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Dgc1mwB234.exe.38ef178.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254807423.0000000003B0F000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0.2.Dgc1mwB234.exe.38ef178.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.Dgc1mwB234.exe.38ef178.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.Dgc1mwB234.exe.38ef178.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.Dgc1mwB234.exe.38ef178.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.254807423.0000000003B0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.254807423.0000000003B0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Dgc1mwB234.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 0.2.Dgc1mwB234.exe.38ef178.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.Dgc1mwB234.exe.38ef178.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.Dgc1mwB234.exe.38ef178.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.Dgc1mwB234.exe.38ef178.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.Dgc1mwB234.exe.38ef178.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.Dgc1mwB234.exe.38ef178.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.254807423.0000000003B0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.254807423.0000000003B0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_023A2B200_2_023A2B20
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_023A387F0_2_023A387F
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_023A38900_2_023A3890
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_0694087A NtQuerySystemInformation,0_2_0694087A
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_06940858 NtQuerySystemInformation,0_2_06940858
          Source: Dgc1mwB234.exe, 00000000.00000002.253245800.0000000002801000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTaskNode.dll4 vs Dgc1mwB234.exe
          Source: Dgc1mwB234.exe, 00000000.00000000.233591245.000000000021C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFormatt.exe8 vs Dgc1mwB234.exe
          Source: Dgc1mwB234.exeBinary or memory string: OriginalFilenameFormatt.exe8 vs Dgc1mwB234.exe
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\CXFxEHIAOoJFws.exe 2A95FEDE08D035E26D8A261C58359901344D23395094BD51F32E868964D61634
          Source: Dgc1mwB234.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: CXFxEHIAOoJFws.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Dgc1mwB234.exeVirustotal: Detection: 53%
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeFile read: C:\Users\user\Desktop\Dgc1mwB234.exeJump to behavior
          Source: Dgc1mwB234.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Dgc1mwB234.exe 'C:\Users\user\Desktop\Dgc1mwB234.exe'
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CXFxEHIAOoJFws' /XML 'C:\Users\user\AppData\Local\Temp\tmpC9C9.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CXFxEHIAOoJFws' /XML 'C:\Users\user\AppData\Local\Temp\tmpC9C9.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_0694063A AdjustTokenPrivileges,0_2_0694063A
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_06940603 AdjustTokenPrivileges,0_2_06940603
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeFile created: C:\Users\user\AppData\Roaming\CXFxEHIAOoJFws.exeJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC9C9.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@49/2
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: Dgc1mwB234Joe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_01
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeMutant created: \Sessions\1\BaseNamedObjects\rmGtfB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{dcf3fee6-c103-45ee-a2f0-f8afaa78d1fe}
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: Dgc1mwB234.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: Dgc1mwB234.exeStatic file information: File size 1085952 > 1048576
          Source: Dgc1mwB234.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Dgc1mwB234.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x108800
          Source: Dgc1mwB234.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Dgc1mwB234.exe, aLbmQP5X7AxnbXq2yc/NQiALol57x9DCRXC3f.cs.Net Code: EOD88KdCEU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: CXFxEHIAOoJFws.exe.0.dr, aLbmQP5X7AxnbXq2yc/NQiALol57x9DCRXC3f.cs.Net Code: EOD88KdCEU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Dgc1mwB234.exe.110000.0.unpack, aLbmQP5X7AxnbXq2yc/NQiALol57x9DCRXC3f.cs.Net Code: EOD88KdCEU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Dgc1mwB234.exe.110000.0.unpack, aLbmQP5X7AxnbXq2yc/NQiALol57x9DCRXC3f.cs.Net Code: EOD88KdCEU System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_022B2C65 push es; ret 0_2_022B2C66
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_022B2864 push cs; ret 0_2_022B29AA
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_022B2894 push cs; ret 0_2_022B29AA
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_022B2FD9 pushfd ; ret 0_2_022B2FE2
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_022C741E push ebp; ret 0_2_022C742D
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_022C9D13 push ebp; retf 0_2_022C9D85
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_022C9D7E push ecx; retf 0_2_022C9D81
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_023A7626 push ebx; retf 0_2_023A762C
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_023A760F push ebp; retf 0_2_023A7612
          Source: initial sampleStatic PE information: section name: .text entropy: 7.90482158823
          Source: initial sampleStatic PE information: section name: .text entropy: 7.90482158823
          Source: Dgc1mwB234.exe, G7gig1XoOesu002ujr/QO0J29O1epEQ2KyoYx.csHigh entropy of concatenated method names: 'qoNk23KeHa', 'K66krexY1O', 'PDqknkOSUW', 'ghHkJiJagd', 'SgTku5stl3', 'fWmkgoN2U5', 'E5ykcn4I4M', 'c6QkOkDkJ9', 'MMukXI1GhJ', '.ctor'
          Source: Dgc1mwB234.exe, ystl3c6mum6VKbFWmo/piJagdp94nIKaI1agT.csHigh entropy of concatenated method names: 'ChT8tOVuYB', 'bJh8mxEW6L', 'kim8lWMFBF', 'dFx8IXLsLO', 'Xhv8RAx199', 'q9h8d1AK5g', 'zVm8vP59JH', '.ctor', 'GNxGoepZ5L', 'YAm8XVK8H4'
          Source: Dgc1mwB234.exe, w9AFeXCE2LplTLqrwa/wBlpvxnG1OO8NZvrh2.csHigh entropy of concatenated method names: 'G042ccYIU', 'jVoFPgyQK', 'gQLrWqZ91', 'WU9xXnGcp', 'xIgn6Rsnn', 'hwmCk16El', 'CoTJomARp', 'AS2brx4Hm', 'pLiuTiQbY', '.ctor'
          Source: Dgc1mwB234.exe, l7OxcvLstbIw8lvGdC/RvI4vZgoQLudakmusH.csHigh entropy of concatenated method names: 'wN0p2cDfr', 'T5C6PZrZb', '.ctor', 'nGiwowp1Z', 'V2j0HL0v4', 'clNsO0J29', 'TepYEQ2Ky', 'JYxos7gig', 'ToOQesu00', 'eujfrjHtv'
          Source: Dgc1mwB234.exe, wy1AdR1np9WlJVqIhu/Cie2rZaBGedqv9947T.csHigh entropy of concatenated method names: 'SlkGgsDX3i', 'bHpGLEUxQy', 'qnKGHPdynA', 'vmdGOEeoJ3', '.ctor', 'hwmGEk16El', 'KQXfyj2zJQ8MrBNeABL', 'pivo7TxOtTwwmcNRlOI', 'tY9QjbxHxcRGrnLGAu4', 'qfGsQdx20MZXaBbxQtj'
          Source: Dgc1mwB234.exe, CuDKkqb9fujhnZr9Ai/PP4n1TJr1Xh9QQ9GpY.csHigh entropy of concatenated method names: 'g1Xeh9QQ9', 'cpYtvuDKk', 'g9AiiDfDN', 'nkXlP1Ci2', '.ctor', 'qO8ONZvrh', 'ei9XAFeXE', 'eLpBlTLqr', 'AFZGYZCJd5', 'FaNAP4n1T'
          Source: Dgc1mwB234.exe, nNVJ9C3AKISUwBhf7F/LfDNLkuXP1Ci2OIbjn.csHigh entropy of concatenated method names: 'y4vRZoQLu', 'CakymusHu', '.ctor', 'GNxGoepZ5L', 'l3IGQ1d0RG', 'ToString', 'dpJSAufGiedR27AlO7', 'GtT0wqXyUcb1q6aQBd', 'iCkukpzscUq8PAllws', 'zhZwPCHOL6OYbgQVFKI'
          Source: Dgc1mwB234.exe, PEJBXMArGEXXMibeB4/VHtvIHBBI0AWiAfhcJ.csHigh entropy of concatenated method names: 'jpjkwsAGDN', 'GMtk0q7LvC', 'OxhkYJucG6', 'bWpkork4Lf', '.ctor', 'l3IGQ1d0RG', 'ToString', 'pluk6S3m4W', 'hJPHskHI11plv4xyaJp', 'lvi45nHGRQeB9GSMfoH'
          Source: Dgc1mwB234.exe, sRpRS2Frx4HmHLiTiQ/Asnnnw2mk16ElvoTom.csHigh entropy of concatenated method names: 'AFZkZCJd5', 'QuYnbtNkBAIknWgOB4', 'Xe921B6KBuqrDhUc2i', 'AerSd7r5Mj1frUSoQ3', 'EUwFwIa9RhhA0y84vV', 'qnbJsWcestqFm4lt9c', 'uCSrdb7B9GDDPpnkO5'
          Source: Dgc1mwB234.exe, zsKCbvMEqdplulquC5/l83ecsIQRYPU9U2WDW.csHigh entropy of concatenated method names: 'I5K8uZpD7H', 'mF583XMeqW', '.ctor', 'GNxGoepZ5L', 'l3IGQ1d0RG', 'ToString', 'roYdQD2h0yQjGEh2C9Q', 'RLjTxv28FEAwN9Gf6Kc', 'usXvsr2mPlZhnIfkwA9'
          Source: Dgc1mwB234.exe, aLbmQP5X7AxnbXq2yc/NQiALol57x9DCRXC3f.csHigh entropy of concatenated method names: '.ctor', 'oIIkzTr2L0', 'QQ68qt0Juf', 'Dispose', 'xpn8kRlOqe', 'EOD88KdCEU', 'W6NjmbH3MRaI6VdAhj7', 'rmRrjoHpfMLwMSRCXnw', 'RtnZp7HeLQoraQN6lnO', 'F5RhEBHu37vqd1Olwjw'
          Source: CXFxEHIAOoJFws.exe.0.dr, G7gig1XoOesu002ujr/QO0J29O1epEQ2KyoYx.csHigh entropy of concatenated method names: 'qoNk23KeHa', 'K66krexY1O', 'PDqknkOSUW', 'ghHkJiJagd', 'SgTku5stl3', 'fWmkgoN2U5', 'E5ykcn4I4M', 'c6QkOkDkJ9', 'MMukXI1GhJ', '.ctor'
          Source: CXFxEHIAOoJFws.exe.0.dr, w9AFeXCE2LplTLqrwa/wBlpvxnG1OO8NZvrh2.csHigh entropy of concatenated method names: 'G042ccYIU', 'jVoFPgyQK', 'gQLrWqZ91', 'WU9xXnGcp', 'xIgn6Rsnn', 'hwmCk16El', 'CoTJomARp', 'AS2brx4Hm', 'pLiuTiQbY', '.ctor'
          Source: CXFxEHIAOoJFws.exe.0.dr, aLbmQP5X7AxnbXq2yc/NQiALol57x9DCRXC3f.csHigh entropy of concatenated method names: '.ctor', 'oIIkzTr2L0', 'QQ68qt0Juf', 'Dispose', 'xpn8kRlOqe', 'EOD88KdCEU', 'W6NjmbH3MRaI6VdAhj7', 'rmRrjoHpfMLwMSRCXnw', 'RtnZp7HeLQoraQN6lnO', 'F5RhEBHu37vqd1Olwjw'
          Source: CXFxEHIAOoJFws.exe.0.dr, l7OxcvLstbIw8lvGdC/RvI4vZgoQLudakmusH.csHigh entropy of concatenated method names: 'wN0p2cDfr', 'T5C6PZrZb', '.ctor', 'nGiwowp1Z', 'V2j0HL0v4', 'clNsO0J29', 'TepYEQ2Ky', 'JYxos7gig', 'ToOQesu00', 'eujfrjHtv'
          Source: CXFxEHIAOoJFws.exe.0.dr, ystl3c6mum6VKbFWmo/piJagdp94nIKaI1agT.csHigh entropy of concatenated method names: 'ChT8tOVuYB', 'bJh8mxEW6L', 'kim8lWMFBF', 'dFx8IXLsLO', 'Xhv8RAx199', 'q9h8d1AK5g', 'zVm8vP59JH', '.ctor', 'GNxGoepZ5L', 'YAm8XVK8H4'
          Source: CXFxEHIAOoJFws.exe.0.dr, CuDKkqb9fujhnZr9Ai/PP4n1TJr1Xh9QQ9GpY.csHigh entropy of concatenated method names: 'g1Xeh9QQ9', 'cpYtvuDKk', 'g9AiiDfDN', 'nkXlP1Ci2', '.ctor', 'qO8ONZvrh', 'ei9XAFeXE', 'eLpBlTLqr', 'AFZGYZCJd5', 'FaNAP4n1T'
          Source: CXFxEHIAOoJFws.exe.0.dr, PEJBXMArGEXXMibeB4/VHtvIHBBI0AWiAfhcJ.csHigh entropy of concatenated method names: 'jpjkwsAGDN', 'GMtk0q7LvC', 'OxhkYJucG6', 'bWpkork4Lf', '.ctor', 'l3IGQ1d0RG', 'ToString', 'pluk6S3m4W', 'hJPHskHI11plv4xyaJp', 'lvi45nHGRQeB9GSMfoH'
          Source: CXFxEHIAOoJFws.exe.0.dr, nNVJ9C3AKISUwBhf7F/LfDNLkuXP1Ci2OIbjn.csHigh entropy of concatenated method names: 'y4vRZoQLu', 'CakymusHu', '.ctor', 'GNxGoepZ5L', 'l3IGQ1d0RG', 'ToString', 'dpJSAufGiedR27AlO7', 'GtT0wqXyUcb1q6aQBd', 'iCkukpzscUq8PAllws', 'zhZwPCHOL6OYbgQVFKI'
          Source: CXFxEHIAOoJFws.exe.0.dr, sRpRS2Frx4HmHLiTiQ/Asnnnw2mk16ElvoTom.csHigh entropy of concatenated method names: 'AFZkZCJd5', 'QuYnbtNkBAIknWgOB4', 'Xe921B6KBuqrDhUc2i', 'AerSd7r5Mj1frUSoQ3', 'EUwFwIa9RhhA0y84vV', 'qnbJsWcestqFm4lt9c', 'uCSrdb7B9GDDPpnkO5'
          Source: CXFxEHIAOoJFws.exe.0.dr, zsKCbvMEqdplulquC5/l83ecsIQRYPU9U2WDW.csHigh entropy of concatenated method names: 'I5K8uZpD7H', 'mF583XMeqW', '.ctor', 'GNxGoepZ5L', 'l3IGQ1d0RG', 'ToString', 'roYdQD2h0yQjGEh2C9Q', 'RLjTxv28FEAwN9Gf6Kc', 'usXvsr2mPlZhnIfkwA9'
          Source: CXFxEHIAOoJFws.exe.0.dr, wy1AdR1np9WlJVqIhu/Cie2rZaBGedqv9947T.csHigh entropy of concatenated method names: 'SlkGgsDX3i', 'bHpGLEUxQy', 'qnKGHPdynA', 'vmdGOEeoJ3', '.ctor', 'hwmGEk16El', 'KQXfyj2zJQ8MrBNeABL', 'pivo7TxOtTwwmcNRlOI', 'tY9QjbxHxcRGrnLGAu4', 'qfGsQdx20MZXaBbxQtj'
          Source: 0.2.Dgc1mwB234.exe.110000.0.unpack, w9AFeXCE2LplTLqrwa/wBlpvxnG1OO8NZvrh2.csHigh entropy of concatenated method names: 'G042ccYIU', 'jVoFPgyQK', 'gQLrWqZ91', 'WU9xXnGcp', 'xIgn6Rsnn', 'hwmCk16El', 'CoTJomARp', 'AS2brx4Hm', 'pLiuTiQbY', '.ctor'
          Source: 0.2.Dgc1mwB234.exe.110000.0.unpack, G7gig1XoOesu002ujr/QO0J29O1epEQ2KyoYx.csHigh entropy of concatenated method names: 'qoNk23KeHa', 'K66krexY1O', 'PDqknkOSUW', 'ghHkJiJagd', 'SgTku5stl3', 'fWmkgoN2U5', 'E5ykcn4I4M', 'c6QkOkDkJ9', 'MMukXI1GhJ', '.ctor'
          Source: 0.2.Dgc1mwB234.exe.110000.0.unpack, l7OxcvLstbIw8lvGdC/RvI4vZgoQLudakmusH.csHigh entropy of concatenated method names: 'wN0p2cDfr', 'T5C6PZrZb', '.ctor', 'nGiwowp1Z', 'V2j0HL0v4', 'clNsO0J29', 'TepYEQ2Ky', 'JYxos7gig', 'ToOQesu00', 'eujfrjHtv'
          Source: 0.2.Dgc1mwB234.exe.110000.0.unpack, aLbmQP5X7AxnbXq2yc/NQiALol57x9DCRXC3f.csHigh entropy of concatenated method names: '.ctor', 'oIIkzTr2L0', 'QQ68qt0Juf', 'Dispose', 'xpn8kRlOqe', 'EOD88KdCEU', 'W6NjmbH3MRaI6VdAhj7', 'rmRrjoHpfMLwMSRCXnw', 'RtnZp7HeLQoraQN6lnO', 'F5RhEBHu37vqd1Olwjw'
          Source: 0.2.Dgc1mwB234.exe.110000.0.unpack, ystl3c6mum6VKbFWmo/piJagdp94nIKaI1agT.csHigh entropy of concatenated method names: 'ChT8tOVuYB', 'bJh8mxEW6L', 'kim8lWMFBF', 'dFx8IXLsLO', 'Xhv8RAx199', 'q9h8d1AK5g', 'zVm8vP59JH', '.ctor', 'GNxGoepZ5L', 'YAm8XVK8H4'
          Source: 0.2.Dgc1mwB234.exe.110000.0.unpack, CuDKkqb9fujhnZr9Ai/PP4n1TJr1Xh9QQ9GpY.csHigh entropy of concatenated method names: 'g1Xeh9QQ9', 'cpYtvuDKk', 'g9AiiDfDN', 'nkXlP1Ci2', '.ctor', 'qO8ONZvrh', 'ei9XAFeXE', 'eLpBlTLqr', 'AFZGYZCJd5', 'FaNAP4n1T'
          Source: 0.2.Dgc1mwB234.exe.110000.0.unpack, PEJBXMArGEXXMibeB4/VHtvIHBBI0AWiAfhcJ.csHigh entropy of concatenated method names: 'jpjkwsAGDN', 'GMtk0q7LvC', 'OxhkYJucG6', 'bWpkork4Lf', '.ctor', 'l3IGQ1d0RG', 'ToString', 'pluk6S3m4W', 'hJPHskHI11plv4xyaJp', 'lvi45nHGRQeB9GSMfoH'
          Source: 0.2.Dgc1mwB234.exe.110000.0.unpack, nNVJ9C3AKISUwBhf7F/LfDNLkuXP1Ci2OIbjn.csHigh entropy of concatenated method names: 'y4vRZoQLu', 'CakymusHu', '.ctor', 'GNxGoepZ5L', 'l3IGQ1d0RG', 'ToString', 'dpJSAufGiedR27AlO7', 'GtT0wqXyUcb1q6aQBd', 'iCkukpzscUq8PAllws', 'zhZwPCHOL6OYbgQVFKI'
          Source: 0.2.Dgc1mwB234.exe.110000.0.unpack, sRpRS2Frx4HmHLiTiQ/Asnnnw2mk16ElvoTom.csHigh entropy of concatenated method names: 'AFZkZCJd5', 'QuYnbtNkBAIknWgOB4', 'Xe921B6KBuqrDhUc2i', 'AerSd7r5Mj1frUSoQ3', 'EUwFwIa9RhhA0y84vV', 'qnbJsWcestqFm4lt9c', 'uCSrdb7B9GDDPpnkO5'
          Source: 0.2.Dgc1mwB234.exe.110000.0.unpack, zsKCbvMEqdplulquC5/l83ecsIQRYPU9U2WDW.csHigh entropy of concatenated method names: 'I5K8uZpD7H', 'mF583XMeqW', '.ctor', 'GNxGoepZ5L', 'l3IGQ1d0RG', 'ToString', 'roYdQD2h0yQjGEh2C9Q', 'RLjTxv28FEAwN9Gf6Kc', 'usXvsr2mPlZhnIfkwA9'
          Source: 0.2.Dgc1mwB234.exe.110000.0.unpack, wy1AdR1np9WlJVqIhu/Cie2rZaBGedqv9947T.csHigh entropy of concatenated method names: 'SlkGgsDX3i', 'bHpGLEUxQy', 'qnKGHPdynA', 'vmdGOEeoJ3', '.ctor', 'hwmGEk16El', 'KQXfyj2zJQ8MrBNeABL', 'pivo7TxOtTwwmcNRlOI', 'tY9QjbxHxcRGrnLGAu4', 'qfGsQdx20MZXaBbxQtj'
          Source: 0.0.Dgc1mwB234.exe.110000.0.unpack, G7gig1XoOesu002ujr/QO0J29O1epEQ2KyoYx.csHigh entropy of concatenated method names: 'qoNk23KeHa', 'K66krexY1O', 'PDqknkOSUW', 'ghHkJiJagd', 'SgTku5stl3', 'fWmkgoN2U5', 'E5ykcn4I4M', 'c6QkOkDkJ9', 'MMukXI1GhJ', '.ctor'
          Source: 0.0.Dgc1mwB234.exe.110000.0.unpack, w9AFeXCE2LplTLqrwa/wBlpvxnG1OO8NZvrh2.csHigh entropy of concatenated method names: 'G042ccYIU', 'jVoFPgyQK', 'gQLrWqZ91', 'WU9xXnGcp', 'xIgn6Rsnn', 'hwmCk16El', 'CoTJomARp', 'AS2brx4Hm', 'pLiuTiQbY', '.ctor'
          Source: 0.0.Dgc1mwB234.exe.110000.0.unpack, aLbmQP5X7AxnbXq2yc/NQiALol57x9DCRXC3f.csHigh entropy of concatenated method names: '.ctor', 'oIIkzTr2L0', 'QQ68qt0Juf', 'Dispose', 'xpn8kRlOqe', 'EOD88KdCEU', 'W6NjmbH3MRaI6VdAhj7', 'rmRrjoHpfMLwMSRCXnw', 'RtnZp7HeLQoraQN6lnO', 'F5RhEBHu37vqd1Olwjw'
          Source: 0.0.Dgc1mwB234.exe.110000.0.unpack, l7OxcvLstbIw8lvGdC/RvI4vZgoQLudakmusH.csHigh entropy of concatenated method names: 'wN0p2cDfr', 'T5C6PZrZb', '.ctor', 'nGiwowp1Z', 'V2j0HL0v4', 'clNsO0J29', 'TepYEQ2Ky', 'JYxos7gig', 'ToOQesu00', 'eujfrjHtv'
          Source: 0.0.Dgc1mwB234.exe.110000.0.unpack, ystl3c6mum6VKbFWmo/piJagdp94nIKaI1agT.csHigh entropy of concatenated method names: 'ChT8tOVuYB', 'bJh8mxEW6L', 'kim8lWMFBF', 'dFx8IXLsLO', 'Xhv8RAx199', 'q9h8d1AK5g', 'zVm8vP59JH', '.ctor', 'GNxGoepZ5L', 'YAm8XVK8H4'
          Source: 0.0.Dgc1mwB234.exe.110000.0.unpack, nNVJ9C3AKISUwBhf7F/LfDNLkuXP1Ci2OIbjn.csHigh entropy of concatenated method names: 'y4vRZoQLu', 'CakymusHu', '.ctor', 'GNxGoepZ5L', 'l3IGQ1d0RG', 'ToString', 'dpJSAufGiedR27AlO7', 'GtT0wqXyUcb1q6aQBd', 'iCkukpzscUq8PAllws', 'zhZwPCHOL6OYbgQVFKI'
          Source: 0.0.Dgc1mwB234.exe.110000.0.unpack, CuDKkqb9fujhnZr9Ai/PP4n1TJr1Xh9QQ9GpY.csHigh entropy of concatenated method names: 'g1Xeh9QQ9', 'cpYtvuDKk', 'g9AiiDfDN', 'nkXlP1Ci2', '.ctor', 'qO8ONZvrh', 'ei9XAFeXE', 'eLpBlTLqr', 'AFZGYZCJd5', 'FaNAP4n1T'
          Source: 0.0.Dgc1mwB234.exe.110000.0.unpack, PEJBXMArGEXXMibeB4/VHtvIHBBI0AWiAfhcJ.csHigh entropy of concatenated method names: 'jpjkwsAGDN', 'GMtk0q7LvC', 'OxhkYJucG6', 'bWpkork4Lf', '.ctor', 'l3IGQ1d0RG', 'ToString', 'pluk6S3m4W', 'hJPHskHI11plv4xyaJp', 'lvi45nHGRQeB9GSMfoH'
          Source: 0.0.Dgc1mwB234.exe.110000.0.unpack, sRpRS2Frx4HmHLiTiQ/Asnnnw2mk16ElvoTom.csHigh entropy of concatenated method names: 'AFZkZCJd5', 'QuYnbtNkBAIknWgOB4', 'Xe921B6KBuqrDhUc2i', 'AerSd7r5Mj1frUSoQ3', 'EUwFwIa9RhhA0y84vV', 'qnbJsWcestqFm4lt9c', 'uCSrdb7B9GDDPpnkO5'
          Source: 0.0.Dgc1mwB234.exe.110000.0.unpack, zsKCbvMEqdplulquC5/l83ecsIQRYPU9U2WDW.csHigh entropy of concatenated method names: 'I5K8uZpD7H', 'mF583XMeqW', '.ctor', 'GNxGoepZ5L', 'l3IGQ1d0RG', 'ToString', 'roYdQD2h0yQjGEh2C9Q', 'RLjTxv28FEAwN9Gf6Kc', 'usXvsr2mPlZhnIfkwA9'
          Source: 0.0.Dgc1mwB234.exe.110000.0.unpack, wy1AdR1np9WlJVqIhu/Cie2rZaBGedqv9947T.csHigh entropy of concatenated method names: 'SlkGgsDX3i', 'bHpGLEUxQy', 'qnKGHPdynA', 'vmdGOEeoJ3', '.ctor', 'hwmGEk16El', 'KQXfyj2zJQ8MrBNeABL', 'pivo7TxOtTwwmcNRlOI', 'tY9QjbxHxcRGrnLGAu4', 'qfGsQdx20MZXaBbxQtj'
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeFile created: C:\Users\user\AppData\Roaming\CXFxEHIAOoJFws.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CXFxEHIAOoJFws' /XML 'C:\Users\user\AppData\Local\Temp\tmpC9C9.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.Dgc1mwB234.exe.2807aac.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.253245800.0000000002801000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Dgc1mwB234.exe PID: 6408, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Dgc1mwB234.exe, 00000000.00000002.253245800.0000000002801000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Dgc1mwB234.exe, 00000000.00000002.253245800.0000000002801000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\Dgc1mwB234.exe TID: 6412Thread sleep time: -37098s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exe TID: 6440Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 640Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 748Jump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeThread delayed: delay time: 37098Jump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Dgc1mwB234.exe, 00000000.00000002.253245800.0000000002801000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: Dgc1mwB234.exe, 00000000.00000002.253245800.0000000002801000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Dgc1mwB234.exe, 00000000.00000002.253245800.0000000002801000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: RegSvcs.exe, 00000006.00000003.294917202.00000000015C7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: Dgc1mwB234.exe, 00000000.00000002.253245800.0000000002801000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000Jump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000Jump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000Jump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 100F008Jump to behavior
          Allocates memory in foreign processesShow sources
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CXFxEHIAOoJFws' /XML 'C:\Users\user\AppData\Local\Temp\tmpC9C9.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\Dgc1mwB234.exeCode function: 0_2_022BA2F6 GetUserNameW,0_2_022BA2F6

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0.2.Dgc1mwB234.exe.38ef178.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Dgc1mwB234.exe.38ef178.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254807423.0000000003B0F000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0.2.Dgc1mwB234.exe.38ef178.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Dgc1mwB234.exe.38ef178.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254807423.0000000003B0F000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Masquerading1OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection311Disable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection311LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing12Proc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery12Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 508639 Sample: Dgc1mwB234 Startdate: 25/10/2021 Architecture: WINDOWS Score: 100 31 newme122.3utilities.com 2->31 33 newme1122.3utilities.com 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 10 other signatures 2->47 8 Dgc1mwB234.exe 7 2->8         started        signatures3 process4 file5 21 C:\Users\user\AppData\...\CXFxEHIAOoJFws.exe, PE32 8->21 dropped 23 C:\...\CXFxEHIAOoJFws.exe:Zone.Identifier, ASCII 8->23 dropped 25 C:\Users\user\AppData\Local\...\tmpC9C9.tmp, XML 8->25 dropped 27 C:\Users\user\AppData\...\Dgc1mwB234.exe.log, ASCII 8->27 dropped 49 Uses schtasks.exe or at.exe to add and modify task schedules 8->49 51 Writes to foreign memory regions 8->51 53 Allocates memory in foreign processes 8->53 55 Injects a PE file into a foreign processes 8->55 12 RegSvcs.exe 8 8->12         started        17 schtasks.exe 1 8->17         started        signatures6 process7 dnsIp8 35 newme122.3utilities.com 23.105.131.228, 49778, 49783, 49784 LEASEWEB-USA-NYC-11US United States 12->35 37 newme1122.3utilities.com 12->37 39 192.168.2.1 unknown unknown 12->39 29 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 12->29 dropped 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->57 19 conhost.exe 17->19         started        file9 signatures10 process11

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Dgc1mwB234.exe54%VirustotalBrowse
          Dgc1mwB234.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\CXFxEHIAOoJFws.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cnN0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.sajatypeworks.combli0%Avira URL Cloudsafe
          http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cnl-g0%URL Reputationsafe
          newme122.3utilities.com100%Avira URL Cloudphishing
          http://www.tiro.comcm0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/k0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sajatypeworks.comblix5M0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.founder.com.cn/cng0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.fontbureau.comlde0%Avira URL Cloudsafe
          http://www.fonts.comc0%URL Reputationsafe
          newme1122.3utilities.com100%Avira URL Cloudphishing
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.founder.com.cn/cnngH0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Negr0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/y0%URL Reputationsafe
          http://www.fontbureau.comk0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn70%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/p0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y0-e0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnate0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/b0%URL Reputationsafe
          http://www.fonts.com-u0%URL Reputationsafe
          http://www.founder.com.cn/cn#0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/no0%Avira URL Cloudsafe
          http://www.sandoll.co.krre0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          newme122.3utilities.com
          23.105.131.228
          truetrue
            unknown
            newme1122.3utilities.com
            unknown
            unknowntrue
              unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              newme122.3utilities.comtrue
              • Avira URL Cloud: phishing
              unknown
              newme1122.3utilities.comtrue
              • Avira URL Cloud: phishing
              unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.founder.com.cn/cnNDgc1mwB234.exe, 00000000.00000003.236853218.0000000004C1D000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.fontbureau.com/designersGDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                high
                http://www.fontbureau.com/designers/?Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/bTheDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers?Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                    high
                    http://www.tiro.comDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designersDgc1mwB234.exe, 00000000.00000003.239894261.0000000004BE9000.00000004.00000001.sdmpfalse
                      high
                      http://www.fontbureau.com/designersZDgc1mwB234.exe, 00000000.00000003.240273446.0000000004BED000.00000004.00000001.sdmpfalse
                        high
                        http://www.goodfont.co.krDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.sajatypeworks.combliDgc1mwB234.exe, 00000000.00000003.235043877.0000000004BFB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.collada.org/2005/11/COLLADASchema9DoneDgc1mwB234.exe, 00000000.00000002.253245800.0000000002801000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.sajatypeworks.comDgc1mwB234.exe, 00000000.00000003.235043877.0000000004BFB000.00000004.00000001.sdmp, Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.typography.netDDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cn/cTheDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.galapagosdesign.com/staff/dennis.htmDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://fontfabrik.comDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cnl-gDgc1mwB234.exe, 00000000.00000003.236772569.0000000004C1D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.tiro.comcmDgc1mwB234.exe, 00000000.00000003.235298130.0000000004BFB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.jiyu-kobo.co.jp/jp/kDgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.galapagosdesign.com/DPleaseDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fonts.comDgc1mwB234.exe, 00000000.00000003.235069123.0000000004BFB000.00000004.00000001.sdmpfalse
                          high
                          http://www.sandoll.co.krDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.sajatypeworks.comblix5MDgc1mwB234.exe, 00000000.00000003.235094479.0000000004C04000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.urwpp.deDPleaseDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.zhongyicts.com.cnDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.founder.com.cn/cngDgc1mwB234.exe, 00000000.00000003.236772569.0000000004C1D000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.sakkal.comDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.comldeDgc1mwB234.exe, 00000000.00000003.252140639.0000000004BE0000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.apache.org/licenses/LICENSE-2.0Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                            high
                            http://www.fontbureau.comDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                              high
                              http://www.fonts.comcDgc1mwB234.exe, 00000000.00000003.235103191.0000000004BFB000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.jiyu-kobo.co.jp/jp/Dgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.founder.com.cn/cnngHDgc1mwB234.exe, 00000000.00000003.236982143.0000000004BE4000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.carterandcone.comlDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.jiyu-kobo.co.jp/NegrDgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.jiyu-kobo.co.jp/yDgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                                high
                                http://www.fontbureau.comkDgc1mwB234.exe, 00000000.00000003.252140639.0000000004BE0000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cnDgc1mwB234.exe, 00000000.00000003.236789899.0000000004BE4000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlDgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.founder.com.cn/cn7Dgc1mwB234.exe, 00000000.00000003.236772569.0000000004C1D000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/pDgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmp, Dgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/Y0-eDgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.fontbureau.com/designers8Dgc1mwB234.exe, 00000000.00000002.256921442.0000000005E72000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.founder.com.cn/cnateDgc1mwB234.exe, 00000000.00000003.236789899.0000000004BE4000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/bDgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fonts.com-uDgc1mwB234.exe, 00000000.00000003.235043877.0000000004BFB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.founder.com.cn/cn#Dgc1mwB234.exe, 00000000.00000003.236789899.0000000004BE4000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/noDgc1mwB234.exe, 00000000.00000003.238113594.0000000004BE4000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.sandoll.co.krreDgc1mwB234.exe, 00000000.00000003.236089540.0000000004BE6000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    23.105.131.228
                                    newme122.3utilities.comUnited States
                                    396362LEASEWEB-USA-NYC-11UStrue

                                    Private

                                    IP
                                    192.168.2.1

                                    General Information

                                    Joe Sandbox Version:33.0.0 White Diamond
                                    Analysis ID:508639
                                    Start date:25.10.2021
                                    Start time:13:17:18
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 8m 33s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:Dgc1mwB234 (renamed file extension from none to exe)
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:29
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@6/5@49/2
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 4.9% (good quality ratio 3.6%)
                                    • Quality average: 61.1%
                                    • Quality standard deviation: 41.4%
                                    HCA Information:
                                    • Successful, ratio: 80%
                                    • Number of executed functions: 124
                                    • Number of non-executed functions: 2
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    Warnings:
                                    Show All
                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                    • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.82.210.154, 209.197.3.8, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.50.102.62
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    13:18:17API Interceptor1x Sleep call for process: Dgc1mwB234.exe modified
                                    13:18:21API Interceptor958x Sleep call for process: RegSvcs.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    23.105.131.228Sts Global Order.xlsxGet hashmaliciousBrowse
                                      R7nWmIxbbl.exeGet hashmaliciousBrowse
                                        ubwJ8nHmzP.exeGet hashmaliciousBrowse
                                          PO #11325201021.xlsxGet hashmaliciousBrowse
                                            HSBC.exeGet hashmaliciousBrowse
                                              UUGCfhIdFD.exeGet hashmaliciousBrowse
                                                KPcrOQcb5P.exeGet hashmaliciousBrowse
                                                  rGsJ1mXomJ.exeGet hashmaliciousBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    newme122.3utilities.comSts Global Order.xlsxGet hashmaliciousBrowse
                                                    • 23.105.131.228
                                                    R7nWmIxbbl.exeGet hashmaliciousBrowse
                                                    • 23.105.131.228
                                                    product specification.xlsxGet hashmaliciousBrowse
                                                    • 23.105.131.228
                                                    PO 11325201021.xlsxGet hashmaliciousBrowse
                                                    • 23.105.131.228
                                                    ubwJ8nHmzP.exeGet hashmaliciousBrowse
                                                    • 23.105.131.228
                                                    PO #11325201021.xlsxGet hashmaliciousBrowse
                                                    • 23.105.131.228

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    LEASEWEB-USA-NYC-11USSts Global Order.xlsxGet hashmaliciousBrowse
                                                    • 23.105.131.228
                                                    R7nWmIxbbl.exeGet hashmaliciousBrowse
                                                    • 23.105.131.228
                                                    ubwJ8nHmzP.exeGet hashmaliciousBrowse
                                                    • 23.105.131.228
                                                    PO #11325201021.xlsxGet hashmaliciousBrowse
                                                    • 23.105.131.228
                                                    Invoice Payment.exeGet hashmaliciousBrowse
                                                    • 23.105.131.236
                                                    Invoice Payment.exeGet hashmaliciousBrowse
                                                    • 23.105.131.236
                                                    order copy.pdf.exeGet hashmaliciousBrowse
                                                    • 23.105.131.161
                                                    Scan3094-03.exeGet hashmaliciousBrowse
                                                    • 23.105.131.220
                                                    payment details.pdf.exeGet hashmaliciousBrowse
                                                    • 23.105.131.206
                                                    C06689-L2C.pdf.exeGet hashmaliciousBrowse
                                                    • 23.105.131.206
                                                    OKNYaX8JqF.exeGet hashmaliciousBrowse
                                                    • 23.105.131.161
                                                    lt.exeGet hashmaliciousBrowse
                                                    • 23.105.131.161
                                                    triage_dropped_file.exeGet hashmaliciousBrowse
                                                    • 23.105.131.161
                                                    Payment Slips.exeGet hashmaliciousBrowse
                                                    • 23.105.131.236
                                                    order copy.pdf.exeGet hashmaliciousBrowse
                                                    • 23.105.131.161
                                                    Po requirements documents.jarGet hashmaliciousBrowse
                                                    • 23.105.131.187
                                                    xd.armGet hashmaliciousBrowse
                                                    • 142.91.50.26
                                                    Payment Receipt.exeGet hashmaliciousBrowse
                                                    • 23.105.131.212
                                                    SoftFun.exeGet hashmaliciousBrowse
                                                    • 23.105.131.196

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    C:\Users\user\AppData\Roaming\CXFxEHIAOoJFws.exeSts Global Order.xlsxGet hashmaliciousBrowse

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Dgc1mwB234.exe.log
                                                      Process:C:\Users\user\Desktop\Dgc1mwB234.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):525
                                                      Entropy (8bit):5.2874233355119316
                                                      Encrypted:false
                                                      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                      MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                      SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                      SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                      SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                      C:\Users\user\AppData\Local\Temp\tmpC9C9.tmp
                                                      Process:C:\Users\user\Desktop\Dgc1mwB234.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1651
                                                      Entropy (8bit):5.182603126812438
                                                      Encrypted:false
                                                      SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBbtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3/
                                                      MD5:00E8857F4F5DC7FC50BDDC5C9E5F4E5F
                                                      SHA1:B80150A76AF4D548F6DB2046C30DDAED5703D9AA
                                                      SHA-256:9DDBD3962EB721086ED2EB39C9CCD4DC5D2E834DE01B0E040619E654E237FF36
                                                      SHA-512:C3318E2F6A23C16819AD381F95A2025DA64418D898C34301EA7E6A7BFAF610CA3B83B66A7D5F5FFC34C2C3146E554D0F468C9359AE18373A0E912A6CE99E8EB3
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                                      C:\Users\user\AppData\Roaming\CXFxEHIAOoJFws.exe
                                                      Process:C:\Users\user\Desktop\Dgc1mwB234.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1085952
                                                      Entropy (8bit):7.900410175742084
                                                      Encrypted:false
                                                      SSDEEP:24576:vT120Gers/orbvtIeOIPr6e/kbHYI42Pv+1vVi:vhqC4o+l4rLsbHz42Pu
                                                      MD5:5DC1D41E2F9969D85896921F7B4AE261
                                                      SHA1:8DAE6EB305EAD57EEDDFDECBF34CCA61AF653973
                                                      SHA-256:2A95FEDE08D035E26D8A261C58359901344D23395094BD51F32E868964D61634
                                                      SHA-512:96AA1DC7A5780FE484120B32CA2B66234450787370A0CC7B25AFBFFDE7C4AE5DBFF84FC496C8D92FF8AB3507FDFA361CF055E2910B72085F02956647A240FB63
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      Joe Sandbox View:
                                                      • Filename: Sts Global Order.xlsx, Detection: malicious, Browse
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ua............................~.... ........@.. ....................................@.................................0...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H............\..........8...............................................0..........+.&.(....(....:....& ....87...8......(..... ....8 ......(........X.8.... ............E....................9...d...*...N...........u... ....8...... ....8........8....& ....8....(.... ....8..... ....(.... ....8......o....?C... ....8k.....(.... ....8Z....*...J+.&.........o....*.>+.&......(....*>+.&......(....*.+.&..(....*.+.&..*..+.&..*..0..........+.&..~......e(........8.....*....0..........+.&.
                                                      C:\Users\user\AppData\Roaming\CXFxEHIAOoJFws.exe:Zone.Identifier
                                                      Process:C:\Users\user\Desktop\Dgc1mwB234.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      File Type:Non-ISO extended-ASCII text, with no line terminators, with escape sequences
                                                      Category:dropped
                                                      Size (bytes):8
                                                      Entropy (8bit):2.75
                                                      Encrypted:false
                                                      SSDEEP:3:iltn:W
                                                      MD5:06525540CB844935ABCA240202343F17
                                                      SHA1:B9E0FECE004A2732649641BEB0275732613C3409
                                                      SHA-256:49D90FCC29BD2DBEFA8D09221B0338810DFF1E453F91B252B0F196262FC388E2
                                                      SHA-512:61921414432E97302950505A7DB24E3778DEEE7476D859220987171AE6A233672A930922C134DAB8442F187404C840CB82A6F70932B7AC67E27224B090C0F35C
                                                      Malicious:true
                                                      Preview: .......H

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.900410175742084
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                      • Win32 Executable (generic) a (10002005/4) 49.97%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:Dgc1mwB234.exe
                                                      File size:1085952
                                                      MD5:5dc1d41e2f9969d85896921f7b4ae261
                                                      SHA1:8dae6eb305ead57eeddfdecbf34cca61af653973
                                                      SHA256:2a95fede08d035e26d8a261c58359901344d23395094bd51f32e868964d61634
                                                      SHA512:96aa1dc7a5780fe484120b32ca2b66234450787370a0cc7b25afbffde7c4ae5dbff84fc496c8d92ff8ab3507fdfa361cf055e2910b72085f02956647a240fb63
                                                      SSDEEP:24576:vT120Gers/orbvtIeOIPr6e/kbHYI42Pv+1vVi:vhqC4o+l4rLsbHz42Pu
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ua............................~.... ........@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:00828e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x50a67e
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x61750B88 [Sun Oct 24 07:30:16 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v2.0.50727
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x10a6300x4b.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x10c0000x5a8.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x10e0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x1086840x108800False0.939694035031data7.90482158823IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x10c0000x5a80x600False0.421223958333data4.08519384861IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x10e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_VERSION0x10c0a00x31cdata
                                                      RT_MANIFEST0x10c3bc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightCopyright 2017
                                                      Assembly Version1.0.0.0
                                                      InternalNameFormatt.exe
                                                      FileVersion1.0.0.0
                                                      CompanyName
                                                      LegalTrademarks
                                                      Comments
                                                      ProductNameGameLibrary
                                                      ProductVersion1.0.0.0
                                                      FileDescriptionGameLibrary
                                                      OriginalFilenameFormatt.exe

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      10/25/21-13:18:24.219605UDP254DNS SPOOF query response with TTL of 1 min. and no authority53551618.8.8.8192.168.2.5
                                                      10/25/21-13:18:29.754053UDP254DNS SPOOF query response with TTL of 1 min. and no authority53499928.8.8.8192.168.2.5
                                                      10/25/21-13:18:53.494242UDP254DNS SPOOF query response with TTL of 1 min. and no authority53544508.8.8.8192.168.2.5
                                                      10/25/21-13:19:04.362810UDP254DNS SPOOF query response with TTL of 1 min. and no authority53594138.8.8.8192.168.2.5
                                                      10/25/21-13:19:28.249267UDP254DNS SPOOF query response with TTL of 1 min. and no authority53509698.8.8.8192.168.2.5
                                                      10/25/21-13:19:52.354760UDP254DNS SPOOF query response with TTL of 1 min. and no authority53611508.8.8.8192.168.2.5
                                                      10/25/21-13:19:57.755074UDP254DNS SPOOF query response with TTL of 1 min. and no authority53504228.8.8.8192.168.2.5
                                                      10/25/21-13:20:20.952256UDP254DNS SPOOF query response with TTL of 1 min. and no authority53628478.8.8.8192.168.2.5

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 25, 2021 13:18:24.229736090 CEST497788822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:24.331218004 CEST88224977823.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:18:24.843277931 CEST497788822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:24.944647074 CEST88224977823.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:18:25.452764034 CEST497788822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:25.553905010 CEST88224977823.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:18:29.756159067 CEST497838822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:29.858155966 CEST88224978323.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:18:30.375091076 CEST497838822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:30.477061033 CEST88224978323.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:18:30.984760046 CEST497838822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:31.086971045 CEST88224978323.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:18:35.251679897 CEST497848822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:35.353919983 CEST88224978423.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:18:35.876008034 CEST497848822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:35.978415966 CEST88224978423.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:18:36.485008001 CEST497848822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:36.587162018 CEST88224978423.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:18:53.495866060 CEST497878822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:53.597923040 CEST88224978723.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:18:54.111454010 CEST497878822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:54.213706017 CEST88224978723.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:18:54.720803976 CEST497878822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:54.822851896 CEST88224978723.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:18:58.914319992 CEST497898822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:59.016427994 CEST88224978923.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:18:59.518157959 CEST497898822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:18:59.620444059 CEST88224978923.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:00.127527952 CEST497898822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:00.229479074 CEST88224978923.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:04.364578962 CEST497908822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:04.466742992 CEST88224979023.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:04.971772909 CEST497908822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:05.073801994 CEST88224979023.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:05.581149101 CEST497908822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:05.684072018 CEST88224979023.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:22.679969072 CEST498248822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:22.782475948 CEST88224982423.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:23.285787106 CEST498248822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:23.387103081 CEST88224982423.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:23.895737886 CEST498248822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:23.999279976 CEST88224982423.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:28.250555038 CEST498268822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:28.352610111 CEST88224982623.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:28.864268064 CEST498268822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:28.966200113 CEST88224982623.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:29.473709106 CEST498268822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:29.575668097 CEST88224982623.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:34.481539011 CEST498278822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:34.582684040 CEST88224982723.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:35.100047112 CEST498278822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:35.201267004 CEST88224982723.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:35.708621025 CEST498278822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:35.810509920 CEST88224982723.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:52.356185913 CEST498298822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:52.461040974 CEST88224982923.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:52.975768089 CEST498298822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:53.077406883 CEST88224982923.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:53.585244894 CEST498298822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:53.687624931 CEST88224982923.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:57.757257938 CEST498338822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:57.859532118 CEST88224983323.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:58.366944075 CEST498338822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:58.470392942 CEST88224983323.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:19:58.976372004 CEST498338822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:19:59.079014063 CEST88224983323.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:20:03.231915951 CEST498348822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:20:03.333264112 CEST88224983423.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:20:03.836040974 CEST498348822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:20:03.937845945 CEST88224983423.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:20:04.445617914 CEST498348822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:20:04.550070047 CEST88224983423.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:20:20.952842951 CEST498358822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:20:21.055294037 CEST88224983523.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:20:21.556330919 CEST498358822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:20:21.658687115 CEST88224983523.105.131.228192.168.2.5
                                                      Oct 25, 2021 13:20:22.166929960 CEST498358822192.168.2.523.105.131.228
                                                      Oct 25, 2021 13:20:22.271866083 CEST88224983523.105.131.228192.168.2.5

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 25, 2021 13:18:24.198946953 CEST5516153192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:18:24.219604969 CEST53551618.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:18:29.733983994 CEST4999253192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:18:29.754053116 CEST53499928.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:18:35.230837107 CEST6007553192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:18:35.249157906 CEST53600758.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:18:40.718759060 CEST6434553192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:18:40.737077951 CEST53643458.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:18:40.830085039 CEST5712853192.168.2.58.8.4.4
                                                      Oct 25, 2021 13:18:40.849956989 CEST53571288.8.4.4192.168.2.5
                                                      Oct 25, 2021 13:18:41.138411999 CEST5479153192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:18:41.158586025 CEST53547918.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:18:45.225208044 CEST5046353192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:18:45.243746996 CEST53504638.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:18:45.248320103 CEST5039453192.168.2.58.8.4.4
                                                      Oct 25, 2021 13:18:45.264602900 CEST53503948.8.4.4192.168.2.5
                                                      Oct 25, 2021 13:18:45.282299995 CEST5853053192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:18:45.300805092 CEST53585308.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:18:49.340221882 CEST5381353192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:18:49.357217073 CEST53538138.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:18:49.359814882 CEST6373253192.168.2.58.8.4.4
                                                      Oct 25, 2021 13:18:49.380017996 CEST53637328.8.4.4192.168.2.5
                                                      Oct 25, 2021 13:18:49.389332056 CEST5734453192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:18:49.407651901 CEST53573448.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:18:53.474283934 CEST5445053192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:18:53.494241953 CEST53544508.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:18:58.894469976 CEST5715153192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:18:58.912807941 CEST53571518.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:04.341650963 CEST5941353192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:04.362809896 CEST53594138.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:09.763780117 CEST5164953192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:09.782102108 CEST53516498.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:09.785937071 CEST6508653192.168.2.58.8.4.4
                                                      Oct 25, 2021 13:19:09.807462931 CEST53650868.8.4.4192.168.2.5
                                                      Oct 25, 2021 13:19:09.816464901 CEST5643253192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:09.832590103 CEST53564328.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:13.960675955 CEST5292953192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:13.979291916 CEST53529298.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:14.020601034 CEST6431753192.168.2.58.8.4.4
                                                      Oct 25, 2021 13:19:14.037285089 CEST53643178.8.4.4192.168.2.5
                                                      Oct 25, 2021 13:19:14.045154095 CEST6100453192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:14.061564922 CEST53610048.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:18.100016117 CEST6237253192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:18.116606951 CEST53623728.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:18.120496988 CEST6151553192.168.2.58.8.4.4
                                                      Oct 25, 2021 13:19:18.139111996 CEST53615158.8.4.4192.168.2.5
                                                      Oct 25, 2021 13:19:18.290654898 CEST5667553192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:18.312757969 CEST53566758.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:22.662142038 CEST5526753192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:22.678601027 CEST53552678.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:28.229417086 CEST5096953192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:28.249267101 CEST53509698.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:34.461467981 CEST6436253192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:34.479782104 CEST53643628.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:39.867782116 CEST5476653192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:39.888752937 CEST53547668.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:39.892514944 CEST6144653192.168.2.58.8.4.4
                                                      Oct 25, 2021 13:19:39.911220074 CEST53614468.8.4.4192.168.2.5
                                                      Oct 25, 2021 13:19:39.961859941 CEST5751553192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:39.980130911 CEST53575158.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:44.046120882 CEST5819953192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:44.064822912 CEST53581998.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:44.068089008 CEST6522153192.168.2.58.8.4.4
                                                      Oct 25, 2021 13:19:44.087538004 CEST53652218.8.4.4192.168.2.5
                                                      Oct 25, 2021 13:19:44.135345936 CEST6157353192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:44.152204990 CEST53615738.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:48.197417021 CEST5656253192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:48.213984966 CEST53565628.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:48.216640949 CEST5359153192.168.2.58.8.4.4
                                                      Oct 25, 2021 13:19:48.233685970 CEST53535918.8.4.4192.168.2.5
                                                      Oct 25, 2021 13:19:48.245408058 CEST5968853192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:48.265573978 CEST53596888.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:52.333348036 CEST6115053192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:52.354759932 CEST53611508.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:19:57.733491898 CEST5042253192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:19:57.755074024 CEST53504228.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:20:03.210098982 CEST5324753192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:20:03.229873896 CEST53532478.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:20:08.594829082 CEST5854453192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:20:08.611241102 CEST53585448.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:20:08.642641068 CEST5381453192.168.2.58.8.4.4
                                                      Oct 25, 2021 13:20:08.663342953 CEST53538148.8.4.4192.168.2.5
                                                      Oct 25, 2021 13:20:08.674236059 CEST5130553192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:20:08.694509983 CEST53513058.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:20:12.726998091 CEST5367053192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:20:12.747287035 CEST53536708.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:20:12.759303093 CEST5516053192.168.2.58.8.4.4
                                                      Oct 25, 2021 13:20:12.775943041 CEST53551608.8.4.4192.168.2.5
                                                      Oct 25, 2021 13:20:12.813448906 CEST6141453192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:20:12.831873894 CEST53614148.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:20:16.842833996 CEST6384753192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:20:16.861476898 CEST53638478.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:20:16.862308025 CEST6152353192.168.2.58.8.4.4
                                                      Oct 25, 2021 13:20:16.878818989 CEST53615238.8.4.4192.168.2.5
                                                      Oct 25, 2021 13:20:16.881802082 CEST5055153192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:20:16.900333881 CEST53505518.8.8.8192.168.2.5
                                                      Oct 25, 2021 13:20:20.932284117 CEST6284753192.168.2.58.8.8.8
                                                      Oct 25, 2021 13:20:20.952255964 CEST53628478.8.8.8192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Oct 25, 2021 13:18:24.198946953 CEST192.168.2.58.8.8.80xe096Standard query (0)newme122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:29.733983994 CEST192.168.2.58.8.8.80x6424Standard query (0)newme122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:35.230837107 CEST192.168.2.58.8.8.80x2c3Standard query (0)newme122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:40.718759060 CEST192.168.2.58.8.8.80x43b0Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:40.830085039 CEST192.168.2.58.8.4.40x454aStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:41.138411999 CEST192.168.2.58.8.8.80xac7aStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:45.225208044 CEST192.168.2.58.8.8.80x3252Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:45.248320103 CEST192.168.2.58.8.4.40x70f8Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:45.282299995 CEST192.168.2.58.8.8.80x6c8eStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:49.340221882 CEST192.168.2.58.8.8.80x78c4Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:49.359814882 CEST192.168.2.58.8.4.40xb3b1Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:49.389332056 CEST192.168.2.58.8.8.80xa19bStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:53.474283934 CEST192.168.2.58.8.8.80xffdfStandard query (0)newme122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:58.894469976 CEST192.168.2.58.8.8.80xd637Standard query (0)newme122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:04.341650963 CEST192.168.2.58.8.8.80x9a71Standard query (0)newme122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:09.763780117 CEST192.168.2.58.8.8.80xca07Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:09.785937071 CEST192.168.2.58.8.4.40x903bStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:09.816464901 CEST192.168.2.58.8.8.80xf3bStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:13.960675955 CEST192.168.2.58.8.8.80xf5c8Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:14.020601034 CEST192.168.2.58.8.4.40x44eStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:14.045154095 CEST192.168.2.58.8.8.80xc4e7Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:18.100016117 CEST192.168.2.58.8.8.80x8bc5Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:18.120496988 CEST192.168.2.58.8.4.40xa92dStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:18.290654898 CEST192.168.2.58.8.8.80xb2c0Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:22.662142038 CEST192.168.2.58.8.8.80xa181Standard query (0)newme122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:28.229417086 CEST192.168.2.58.8.8.80xde8Standard query (0)newme122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:34.461467981 CEST192.168.2.58.8.8.80xba08Standard query (0)newme122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:39.867782116 CEST192.168.2.58.8.8.80xce9fStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:39.892514944 CEST192.168.2.58.8.4.40x9d3bStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:39.961859941 CEST192.168.2.58.8.8.80x7216Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:44.046120882 CEST192.168.2.58.8.8.80xe05Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:44.068089008 CEST192.168.2.58.8.4.40x66e2Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:44.135345936 CEST192.168.2.58.8.8.80xb3e2Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:48.197417021 CEST192.168.2.58.8.8.80xa202Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:48.216640949 CEST192.168.2.58.8.4.40x89a7Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:48.245408058 CEST192.168.2.58.8.8.80x4aebStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:52.333348036 CEST192.168.2.58.8.8.80xc76dStandard query (0)newme122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:57.733491898 CEST192.168.2.58.8.8.80x587fStandard query (0)newme122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:20:03.210098982 CEST192.168.2.58.8.8.80x4f04Standard query (0)newme122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:20:08.594829082 CEST192.168.2.58.8.8.80x5b3fStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:20:08.642641068 CEST192.168.2.58.8.4.40xf0ceStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:20:08.674236059 CEST192.168.2.58.8.8.80x7170Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:20:12.726998091 CEST192.168.2.58.8.8.80x3ef4Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:20:12.759303093 CEST192.168.2.58.8.4.40x8d1Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:20:12.813448906 CEST192.168.2.58.8.8.80x7ab5Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:20:16.842833996 CEST192.168.2.58.8.8.80xd61Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:20:16.862308025 CEST192.168.2.58.8.4.40xb62fStandard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:20:16.881802082 CEST192.168.2.58.8.8.80xb4f3Standard query (0)newme1122.3utilities.comA (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:20:20.932284117 CEST192.168.2.58.8.8.80x9ad7Standard query (0)newme122.3utilities.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Oct 25, 2021 13:18:24.219604969 CEST8.8.8.8192.168.2.50xe096No error (0)newme122.3utilities.com23.105.131.228A (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:29.754053116 CEST8.8.8.8192.168.2.50x6424No error (0)newme122.3utilities.com23.105.131.228A (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:35.249157906 CEST8.8.8.8192.168.2.50x2c3No error (0)newme122.3utilities.com23.105.131.228A (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:53.494241953 CEST8.8.8.8192.168.2.50xffdfNo error (0)newme122.3utilities.com23.105.131.228A (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:18:58.912807941 CEST8.8.8.8192.168.2.50xd637No error (0)newme122.3utilities.com23.105.131.228A (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:04.362809896 CEST8.8.8.8192.168.2.50x9a71No error (0)newme122.3utilities.com23.105.131.228A (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:22.678601027 CEST8.8.8.8192.168.2.50xa181No error (0)newme122.3utilities.com23.105.131.228A (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:28.249267101 CEST8.8.8.8192.168.2.50xde8No error (0)newme122.3utilities.com23.105.131.228A (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:34.479782104 CEST8.8.8.8192.168.2.50xba08No error (0)newme122.3utilities.com23.105.131.228A (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:52.354759932 CEST8.8.8.8192.168.2.50xc76dNo error (0)newme122.3utilities.com23.105.131.228A (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:19:57.755074024 CEST8.8.8.8192.168.2.50x587fNo error (0)newme122.3utilities.com23.105.131.228A (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:20:03.229873896 CEST8.8.8.8192.168.2.50x4f04No error (0)newme122.3utilities.com23.105.131.228A (IP address)IN (0x0001)
                                                      Oct 25, 2021 13:20:20.952255964 CEST8.8.8.8192.168.2.50x9ad7No error (0)newme122.3utilities.com23.105.131.228A (IP address)IN (0x0001)

                                                      Code Manipulations

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Start time:13:18:11
                                                      Start date:25/10/2021
                                                      Path:C:\Users\user\Desktop\Dgc1mwB234.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\Dgc1mwB234.exe'
                                                      Imagebase:0x110000
                                                      File size:1085952 bytes
                                                      MD5 hash:5DC1D41E2F9969D85896921F7B4AE261
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.253245800.0000000002801000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.253904015.0000000003801000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.254807423.0000000003B0F000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.254807423.0000000003B0F000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.254807423.0000000003B0F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Reputation:low

                                                      General

                                                      Start time:13:18:19
                                                      Start date:25/10/2021
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CXFxEHIAOoJFws' /XML 'C:\Users\user\AppData\Local\Temp\tmpC9C9.tmp'
                                                      Imagebase:0x270000
                                                      File size:185856 bytes
                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:13:18:19
                                                      Start date:25/10/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7ecfc0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:13:18:20
                                                      Start date:25/10/2021
                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      Imagebase:0xe60000
                                                      File size:32768 bytes
                                                      MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:moderate

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >

                                                        Executed Functions

                                                        APIs
                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 06940683
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: AdjustPrivilegesToken
                                                        • String ID:
                                                        • API String ID: 2874748243-0
                                                        • Opcode ID: 9a8e97844441be88a123b57ec9ba545ef29222f96e6d62314744955c658d9d57
                                                        • Instruction ID: 56e7164ea18a95102eff3d514ec37e5657aefde64aee2cfdeec0e2f94c7c0cb1
                                                        • Opcode Fuzzy Hash: 9a8e97844441be88a123b57ec9ba545ef29222f96e6d62314744955c658d9d57
                                                        • Instruction Fuzzy Hash: AB21B2765097849FEB238F25DC40F52BFB8EF06310F0885EAE9858F563D2719958CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 06940683
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: AdjustPrivilegesToken
                                                        • String ID:
                                                        • API String ID: 2874748243-0
                                                        • Opcode ID: a9a207e8da3affc896e3570c7f2435cd879b84df8284ff0437ee4fe5edff1318
                                                        • Instruction ID: b6ed7aabcdef63a53513a1113b894f168080372c7a50695e0e0cb90e402022b0
                                                        • Opcode Fuzzy Hash: a9a207e8da3affc896e3570c7f2435cd879b84df8284ff0437ee4fe5edff1318
                                                        • Instruction Fuzzy Hash: 0611A3715006009FDB20DF55D844B66FBE8EF44320F08C56AEE868BA52D371E444CF61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 069408B5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationQuerySystem
                                                        • String ID:
                                                        • API String ID: 3562636166-0
                                                        • Opcode ID: ad3e46c832b269447eb0a63c0f551b3500510d14fbb277a3703b21fcf848a4b3
                                                        • Instruction ID: ca7b0a9a34d9fc6061f7c64d329877398501d848c3e890b1763aa5e42a78a1d6
                                                        • Opcode Fuzzy Hash: ad3e46c832b269447eb0a63c0f551b3500510d14fbb277a3703b21fcf848a4b3
                                                        • Instruction Fuzzy Hash: 0111C671409784AFDB228F15DC44E52FFB4EF45310F08C49EED844B653D275A518CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 022BA346
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: NameUser
                                                        • String ID:
                                                        • API String ID: 2645101109-0
                                                        • Opcode ID: 03527a320baf33f1797804288ebcebc01a754ad1966d3b3a59d1830f1ce2384c
                                                        • Instruction ID: 889498bec6cdb8e331e9afa66b8dfe95900d6d0655c0cb8789f46b859760a590
                                                        • Opcode Fuzzy Hash: 03527a320baf33f1797804288ebcebc01a754ad1966d3b3a59d1830f1ce2384c
                                                        • Instruction Fuzzy Hash: 1E01AD72500600ABD210DF1ADC86B26FBE8FB88B20F14815AED088B745E635F915CBE6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 069408B5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationQuerySystem
                                                        • String ID:
                                                        • API String ID: 3562636166-0
                                                        • Opcode ID: 3dfbdb539492591adca2102bf96408816ec06ba91093aa35a382baeac9f6b6b6
                                                        • Instruction ID: e953bcdc324fcf2eeba923eb152226a99ea4df6281f1baf8610f957f1ae136e3
                                                        • Opcode Fuzzy Hash: 3dfbdb539492591adca2102bf96408816ec06ba91093aa35a382baeac9f6b6b6
                                                        • Instruction Fuzzy Hash: 6D01FD328102009FEB609F15D984B25FFA4FF48320F18C49ADE994BB52C276E408CFB2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 98553bc9d941970818bf9f7cc3b6972e26a2b1f9130202a1d353986445c41fbe
                                                        • Instruction ID: e3fb6b5ba09bee7f4f4165648d7a22ee31ecd2e3b688a049bcf3a335cd6ec69c
                                                        • Opcode Fuzzy Hash: 98553bc9d941970818bf9f7cc3b6972e26a2b1f9130202a1d353986445c41fbe
                                                        • Instruction Fuzzy Hash: 8771E1B0D05208CFCB04CFA9C994AAEFBF6FF49304F24956AD819B7255D7349A81CB54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 069414C1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 6f2fa4d7b9871425d243379aa4c2065700d207093828350cb8daf10baac752b5
                                                        • Instruction ID: aca6895ec2d97f1e213ea2f6219618b9005239c774e112054ed157edfba20b4e
                                                        • Opcode Fuzzy Hash: 6f2fa4d7b9871425d243379aa4c2065700d207093828350cb8daf10baac752b5
                                                        • Instruction Fuzzy Hash: 43514A7150E3C05FE7139B658C64AA2BFB8AF47214F0984DBE8C4DF1A3D264A809C772
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • GetTokenInformation.KERNELBASE(?,00000E2C,C3008D77,00000000,00000000,00000000,00000000), ref: 069410A8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationToken
                                                        • String ID:
                                                        • API String ID: 4114910276-0
                                                        • Opcode ID: d205527aa146895a7e0b978d90afc838c42df2649df3fef11d9baab5e9f752c4
                                                        • Instruction ID: 0ce0e170de7ad949ad030358fb7d2d40b3b5c419f10ad085726718542d1fc5d8
                                                        • Opcode Fuzzy Hash: d205527aa146895a7e0b978d90afc838c42df2649df3fef11d9baab5e9f752c4
                                                        • Instruction Fuzzy Hash: 4831E4725093806FEB228F64DC81FA6BFBCEF06310F08849AE984DB153D624A548D7B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 022BACD1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: cf1471f28910453ebc9d0d8d9537144d19d0a4e397a743c19ad74e23d761a84c
                                                        • Instruction ID: 6a6209e3d2a211249a7c317cadbf809200d682ec412a26b61a3cfe16ad4a0cca
                                                        • Opcode Fuzzy Hash: cf1471f28910453ebc9d0d8d9537144d19d0a4e397a743c19ad74e23d761a84c
                                                        • Instruction Fuzzy Hash: AE31B6725043846FE7228B65CC85FA7BFFCEF05310F08859AFD819B152D664A549CB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • RegQueryValueExW.KERNELBASE(?,00000E2C,C3008D77,00000000,00000000,00000000,00000000), ref: 022BADD4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: bc7997ba6e3e44ed5c415a81f1154255d3b0f4c2e9bf556d1f68b4e41d51063e
                                                        • Instruction ID: 68810ecb55867f611c2f8615e347efd7e3e935ef054ad89bb1e907dd18298ba1
                                                        • Opcode Fuzzy Hash: bc7997ba6e3e44ed5c415a81f1154255d3b0f4c2e9bf556d1f68b4e41d51063e
                                                        • Instruction Fuzzy Hash: 7631BF765093856FEB22CB65CC85FA2BFB8EF06310F08849AE985CB152D764E548CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • CopyFileW.KERNELBASE(?,?,?), ref: 06940B4A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: CopyFile
                                                        • String ID:
                                                        • API String ID: 1304948518-0
                                                        • Opcode ID: 2f0d8454a2a9a1ceafdf8b4e2d8bca13aad23c0b7aaca87789380daf8c981598
                                                        • Instruction ID: 77c93a02428e3b652544ad2cd1d476c478a2401158a9f9f6cd328649626356a6
                                                        • Opcode Fuzzy Hash: 2f0d8454a2a9a1ceafdf8b4e2d8bca13aad23c0b7aaca87789380daf8c981598
                                                        • Instruction Fuzzy Hash: 68316F7250D3C05FD7138B249C55A52BFB8AF07224F1D84DBE984CB163E2299848C762
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • CreateMutexW.KERNELBASE(?,?), ref: 06940425
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateMutex
                                                        • String ID:
                                                        • API String ID: 1964310414-0
                                                        • Opcode ID: 97db16ef01a94fd313b4d467b45486bfa14ca8993770978f353e4f1ff30d50c0
                                                        • Instruction ID: 8584b6b16ac58171f1f599b6afcba4c6438f1045d44d74848deb95457869299d
                                                        • Opcode Fuzzy Hash: 97db16ef01a94fd313b4d467b45486bfa14ca8993770978f353e4f1ff30d50c0
                                                        • Instruction Fuzzy Hash: E5318FB15097806FE712DB25DC84F56BFE8EF06310F1884AAE984DF293E364A909C761
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 022BA346
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: NameUser
                                                        • String ID:
                                                        • API String ID: 2645101109-0
                                                        • Opcode ID: 0fb8de99bb1bdc371a93d598cf27ee1d5e6dd52a2907292ea0e72c35222aea33
                                                        • Instruction ID: 4378a4fd9e382aed9bc03ce1ec0676a7a5dd2c3fcccdb818519bb12aafc71b97
                                                        • Opcode Fuzzy Hash: 0fb8de99bb1bdc371a93d598cf27ee1d5e6dd52a2907292ea0e72c35222aea33
                                                        • Instruction Fuzzy Hash: A731807140E3C16FD3138B259C55B61BFB4EF47610F0A81DBE884CB5A3D229A919C7A2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • GetFileType.KERNELBASE(?,00000E2C,C3008D77,00000000,00000000,00000000,00000000), ref: 069415AD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID:
                                                        • API String ID: 3081899298-0
                                                        • Opcode ID: bd7cea7d3f547158dff2372446bc61e5cf6e3ec00c077e0d970f36e8ec19ee58
                                                        • Instruction ID: c92ccddf15893fdb0bb389cdd006ce20a782755036757d65e8b54b1dd53e5660
                                                        • Opcode Fuzzy Hash: bd7cea7d3f547158dff2372446bc61e5cf6e3ec00c077e0d970f36e8ec19ee58
                                                        • Instruction Fuzzy Hash: EA210DB69087846FE7128B25DC80FA3BFBCEF46720F1884DBE9858B153D224A905C771
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 069414C1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: c644e266bdb78556882ddf2cda43c437136beacba069a8192a1444720729bb12
                                                        • Instruction ID: e89b7b8f8f0a4840244c2a3e658cbbc3ddac7afccc2d3f39b3c2d415318274a9
                                                        • Opcode Fuzzy Hash: c644e266bdb78556882ddf2cda43c437136beacba069a8192a1444720729bb12
                                                        • Instruction Fuzzy Hash: CC219D71A00640AFEB21DF69DC84F66FBE8EF08314F14886AE9858B652E775E444CB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 06940502
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: LookupPrivilegeValue
                                                        • String ID:
                                                        • API String ID: 3899507212-0
                                                        • Opcode ID: 949578aea7019013b0039b60490dbc3f5bf9adfecf0657a6828d9964d4536934
                                                        • Instruction ID: 6f0ee7f7f41294f6ff1480c08018a2c9dc1d84e12db047e87daa9ff80e20fb75
                                                        • Opcode Fuzzy Hash: 949578aea7019013b0039b60490dbc3f5bf9adfecf0657a6828d9964d4536934
                                                        • Instruction Fuzzy Hash: 7521B6B29087815FE751CF25DC85B52BFA8FF16320F0985AAE984CB563E334D805CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • WriteFile.KERNELBASE(?,00000E2C,C3008D77,00000000,00000000,00000000,00000000), ref: 06941679
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: FileWrite
                                                        • String ID:
                                                        • API String ID: 3934441357-0
                                                        • Opcode ID: cd0d3400a76b83b6432aeddabe6f70007f5b942477419ae31d730a0fa776e03a
                                                        • Instruction ID: 50d81495ae33050164868c1991170388c850b3fa3622b659c8f5e783c3944a66
                                                        • Opcode Fuzzy Hash: cd0d3400a76b83b6432aeddabe6f70007f5b942477419ae31d730a0fa776e03a
                                                        • Instruction Fuzzy Hash: 7421A4724097806FE7228F65DC84F56BFB8EF06314F08859BE9849F153D264A549CB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 022BACD1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: 77d7861ec261c5ed72c9d25fbcefcf0a3d1a39210467080d886ea0b745ea6f3e
                                                        • Instruction ID: a1b7ee1de48439f4f9aef2da31deff8d9d381964f59e3061a25fab5babf57ef1
                                                        • Opcode Fuzzy Hash: 77d7861ec261c5ed72c9d25fbcefcf0a3d1a39210467080d886ea0b745ea6f3e
                                                        • Instruction Fuzzy Hash: 5E21D1B2500204AFE7219F99DC84FABFBECEF04311F14845AEE419B241D770E5088BB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • CreateMutexW.KERNELBASE(?,?), ref: 06940425
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateMutex
                                                        • String ID:
                                                        • API String ID: 1964310414-0
                                                        • Opcode ID: f95dc16908a4a29124ea45087b6d64abfb5a89f829daa16ea07014d2141ed7df
                                                        • Instruction ID: 51a1fc98ae6881b9b71e8932baa7743ea5208a692e066596b9a1ee7ca44eae95
                                                        • Opcode Fuzzy Hash: f95dc16908a4a29124ea45087b6d64abfb5a89f829daa16ea07014d2141ed7df
                                                        • Instruction Fuzzy Hash: 3221CFB1904240AFE760EF29DC84F66FBECEF14310F14846AEE489B642E774E404CA71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • RegQueryValueExW.KERNELBASE(?,00000E2C,C3008D77,00000000,00000000,00000000,00000000), ref: 022BADD4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: 50c232e96cb74c5e48251469cb682211d4153c357a278b5d9bc61096d1517bb3
                                                        • Instruction ID: e5f615f459816ce1ba3b5e533b3177707e08c190734491cf47dc4b2c1c88ec31
                                                        • Opcode Fuzzy Hash: 50c232e96cb74c5e48251469cb682211d4153c357a278b5d9bc61096d1517bb3
                                                        • Instruction Fuzzy Hash: 45218EB6510605AFEB21CF65DC81FA6BBECEF04751F08846AEE458B255DB60E404CAB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • GetTokenInformation.KERNELBASE(?,00000E2C,C3008D77,00000000,00000000,00000000,00000000), ref: 069410A8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationToken
                                                        • String ID:
                                                        • API String ID: 4114910276-0
                                                        • Opcode ID: 33daa4a461d3b70a98b64fb7706386dbb740dd60430d6fe9a73ab0153e31a29a
                                                        • Instruction ID: d7acf3d11901eca9522154d82cfe392b9aefef7be26648041c204b3c0edcd438
                                                        • Opcode Fuzzy Hash: 33daa4a461d3b70a98b64fb7706386dbb740dd60430d6fe9a73ab0153e31a29a
                                                        • Instruction Fuzzy Hash: 4F11B4B2900244AFEB21DF69DC85FAAFBACEF04310F14886AEE45DB541D774A454CBB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • DeleteFileW.KERNELBASE(?), ref: 06941894
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: 776aba278735c20e070476a656b42ac27a4dd0c1da4d50159913a40394162283
                                                        • Instruction ID: 3516efb7d08c577e62b53d1b4b19a269b1a7129b24a76354583574d1973ff3a1
                                                        • Opcode Fuzzy Hash: 776aba278735c20e070476a656b42ac27a4dd0c1da4d50159913a40394162283
                                                        • Instruction Fuzzy Hash: 3B21A57550D3C05FD7128B25DC55B56BFB8EF02210F0980EBED84CF653D2649948C762
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 022BB4A9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadShim
                                                        • String ID:
                                                        • API String ID: 1475914169-0
                                                        • Opcode ID: 56041aaee232bdb6331f6e167a70ac5651963232410c19252772076e7f87237c
                                                        • Instruction ID: a1d5124f12faefbcfd17499fc9d9d8f400e202b5c54066834a568bb5723e4a4b
                                                        • Opcode Fuzzy Hash: 56041aaee232bdb6331f6e167a70ac5651963232410c19252772076e7f87237c
                                                        • Instruction Fuzzy Hash: 0B2190B25093845FDB228E25DC45B62BFF8FF16714F08808AED84CB253E365A908CB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 069419ED
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 4bf61a7a0953f024acb6882a717ab0e1cd35a9430649a227965d3d28fa114c5e
                                                        • Instruction ID: 2c81d41ef91162ef3cb091afd54b8541fa082f5220fce5fda5540bd6e979da34
                                                        • Opcode Fuzzy Hash: 4bf61a7a0953f024acb6882a717ab0e1cd35a9430649a227965d3d28fa114c5e
                                                        • Instruction Fuzzy Hash: FF2189724093C09FDB238B25CC44A62BFB4EF17220F0985DBE9C48F563D225A858DB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022BA666
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: f17dfed30a274139dce17edc92926f600b727ea91b93744abd444f69a16293fc
                                                        • Instruction ID: 1646578c817d367479c5e1ba296033ac9120c1ceab355c3fd698896582f16bdb
                                                        • Opcode Fuzzy Hash: f17dfed30a274139dce17edc92926f600b727ea91b93744abd444f69a16293fc
                                                        • Instruction Fuzzy Hash: C0117272409780AFDB238F65DC44B62FFB4EF4A310F08859AED858B153D375A418DB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • WriteFile.KERNELBASE(?,00000E2C,C3008D77,00000000,00000000,00000000,00000000), ref: 06941679
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: FileWrite
                                                        • String ID:
                                                        • API String ID: 3934441357-0
                                                        • Opcode ID: 649e5eeee4a744cbdd2d12805f8d696c3048922b15e4594595273c922ca1ed38
                                                        • Instruction ID: 6c0cc6593ae06163bf8c1af353e0f9e695eddc055e264e29bf89b11b0ea64ea5
                                                        • Opcode Fuzzy Hash: 649e5eeee4a744cbdd2d12805f8d696c3048922b15e4594595273c922ca1ed38
                                                        • Instruction Fuzzy Hash: 9211E772800600AFEB21DF55DD80FA6FFA8EF44310F18886AEE559B641D774E444CBB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • SetFileAttributesW.KERNELBASE(?,?), ref: 06940C27
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: 128c85f23a3b3408df68f4083c8459bfd33c7bd078e01413cc360eefc412038d
                                                        • Instruction ID: 91ea55f98293f5163a8316d18e415727a2c9ce536c5e1d730f875aad05ce60aa
                                                        • Opcode Fuzzy Hash: 128c85f23a3b3408df68f4083c8459bfd33c7bd078e01413cc360eefc412038d
                                                        • Instruction Fuzzy Hash: E811D0769083849FDB11CF25DC85B52BFE8EF06220F0884AAED84CF253D274A848CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 06941D75
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 20f84ceac8c764f2f4d3be4ea61ec1f180d8d9f2056fc5db94714ed7594a927c
                                                        • Instruction ID: d00783801f43e5c49b60ef2ec6624fae6a7b8b9a83cc8ca3d94273064a5ac4be
                                                        • Opcode Fuzzy Hash: 20f84ceac8c764f2f4d3be4ea61ec1f180d8d9f2056fc5db94714ed7594a927c
                                                        • Instruction Fuzzy Hash: 2911D072409380AFDB228F25DC45B62FFB8EF06320F08C49EED858B563D265A458CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • CopyFileW.KERNELBASE(?,?,?), ref: 06940B4A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: CopyFile
                                                        • String ID:
                                                        • API String ID: 1304948518-0
                                                        • Opcode ID: 8e7e6f436cef243f73bc148e6cafc0299373620c1e03b46e49f66587971769c3
                                                        • Instruction ID: b8a886bcd0ffbe529047ccdbf180ae51251643c5ab35cf46780f60d580fd74e0
                                                        • Opcode Fuzzy Hash: 8e7e6f436cef243f73bc148e6cafc0299373620c1e03b46e49f66587971769c3
                                                        • Instruction Fuzzy Hash: 2B11A1B2A002008FEB60DF29DC85B56FBE8EF04224F18C46ADD59CB642D670E404CB75
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 06940502
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: LookupPrivilegeValue
                                                        • String ID:
                                                        • API String ID: 3899507212-0
                                                        • Opcode ID: 8e7e6f436cef243f73bc148e6cafc0299373620c1e03b46e49f66587971769c3
                                                        • Instruction ID: 802f55c682a638b538137a89a2f11cd5e1d390c32e263c7b02ae34c7afc2a469
                                                        • Opcode Fuzzy Hash: 8e7e6f436cef243f73bc148e6cafc0299373620c1e03b46e49f66587971769c3
                                                        • Instruction Fuzzy Hash: 86118872A142008FEB60DF29DC85B66FBE8EF54310F18C46AED59CB642E674D444CB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • GetFileType.KERNELBASE(?,00000E2C,C3008D77,00000000,00000000,00000000,00000000), ref: 069415AD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID:
                                                        • API String ID: 3081899298-0
                                                        • Opcode ID: 53e244dface9186731f51b757674a810d5fb961fc61ac09d69e1d124892f9526
                                                        • Instruction ID: d27a0c5560a501acac360355bc1b4c1855a56f9e8779ed340cba18a3f0821253
                                                        • Opcode Fuzzy Hash: 53e244dface9186731f51b757674a810d5fb961fc61ac09d69e1d124892f9526
                                                        • Instruction Fuzzy Hash: 290122B1800204AFE710DB19DC80FBAFBACEF44320F14C49AEE459B241C674A444CAB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: 45822ac0fc9b017752ffffacfba33265ee78423348b8124e648e0d7eb830ba58
                                                        • Instruction ID: ef5179f8585f31d4b3b0151961ec91248365998c09c874cda7ed3fd9ce3ff499
                                                        • Opcode Fuzzy Hash: 45822ac0fc9b017752ffffacfba33265ee78423348b8124e648e0d7eb830ba58
                                                        • Instruction Fuzzy Hash: F7C1BF74C45258CFDB28DFA5E4AC7ADBBB0FB0930AF10986AD015B7291DB785688CF11
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: LongWindow
                                                        • String ID:
                                                        • API String ID: 1378638983-0
                                                        • Opcode ID: b75dab2c7d5d9ef34f37c77e89b35c68bdabdee54010b212098506edab69ed26
                                                        • Instruction ID: 4096c7d2704f19426d5f383be3d3f83621551f756eebab628fe926275927a179
                                                        • Opcode Fuzzy Hash: b75dab2c7d5d9ef34f37c77e89b35c68bdabdee54010b212098506edab69ed26
                                                        • Instruction Fuzzy Hash: A2117C324097849FD7228F55DC85B52FFB4EF06320F08C49AED858B262D375A818CB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • SetFileAttributesW.KERNELBASE(?,?), ref: 06940C27
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: a74206a1f4920e38b74b0ced1e453c76cd12177b0e10fd6b1178e1c742ddafd4
                                                        • Instruction ID: 77743bfd7afc7d308e15692c0eb592f2932cba07e14ba35b57b31643cf4011f3
                                                        • Opcode Fuzzy Hash: a74206a1f4920e38b74b0ced1e453c76cd12177b0e10fd6b1178e1c742ddafd4
                                                        • Instruction Fuzzy Hash: 32019271900244DFEB60DF29D884B66FBD8EF44721F18C8AADD49CB642D274D404CAB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • SetErrorMode.KERNELBASE(?), ref: 022BA480
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: ErrorMode
                                                        • String ID:
                                                        • API String ID: 2340568224-0
                                                        • Opcode ID: 55114355d4344bedb76a8b0cc5aa9b1fab4ef64fcd74eebced9bd63f0b563028
                                                        • Instruction ID: 0ab10f14427ea9a79aafcdca67e826f5fc1b3dc46e7f62a889d4f2c34e5cd860
                                                        • Opcode Fuzzy Hash: 55114355d4344bedb76a8b0cc5aa9b1fab4ef64fcd74eebced9bd63f0b563028
                                                        • Instruction Fuzzy Hash: 571165754093849FD7128B25DC44B52FFB4EF46320F0980DAED954F263D275A948CB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • DeleteFileW.KERNELBASE(?), ref: 06941894
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: 099548eb40e8bc78f8aa383cbc17f48d65aaa8847749fe6ce3b8d4b7158c155f
                                                        • Instruction ID: e63927d4e2fae14190e8950e9cc3895b799b5a8f93e51cf073801c8f983d8511
                                                        • Opcode Fuzzy Hash: 099548eb40e8bc78f8aa383cbc17f48d65aaa8847749fe6ce3b8d4b7158c155f
                                                        • Instruction Fuzzy Hash: D001D871A142408FEB50DF69D884B66FBD8EF00220F18C4ABDC19CF742D274D444CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 022BB4A9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoadShim
                                                        • String ID:
                                                        • API String ID: 1475914169-0
                                                        • Opcode ID: 646d7849a3633971c846f747aa8f2b95a8d210fe61fdeabfcf4501edd1ebe023
                                                        • Instruction ID: d8d60658866f2c07f5f4a745cc2470f4f8d13a5e9ef4e916da8138b87b5de4ef
                                                        • Opcode Fuzzy Hash: 646d7849a3633971c846f747aa8f2b95a8d210fe61fdeabfcf4501edd1ebe023
                                                        • Instruction Fuzzy Hash: D20180755102018FDB21CE59D885B62FBE8FF14764F08C49AED598B246D374E404CB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022BA666
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 4eef2a5b8a5c5a5563a9f6c4b11de53b938fd47d7dabf479e024ee961ec790d7
                                                        • Instruction ID: ced25526c8cc3c0286bb3e6a556c539add95d6a320e7594d12a3bb463645fb18
                                                        • Opcode Fuzzy Hash: 4eef2a5b8a5c5a5563a9f6c4b11de53b938fd47d7dabf479e024ee961ec790d7
                                                        • Instruction Fuzzy Hash: F00184728106009FDF228FA5D944B56FFE4FF48310F08C56ADE594B656D375A414CF61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 06941D75
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: cc7336875a113c5588c838dd2314a46184632795abf6a1e7504251cd0c485980
                                                        • Instruction ID: dc91700687634b5aa02f580adb75cc5ad1e9ae347cfc3b10b89bbfe35d67befa
                                                        • Opcode Fuzzy Hash: cc7336875a113c5588c838dd2314a46184632795abf6a1e7504251cd0c485980
                                                        • Instruction Fuzzy Hash: C101D4729106009FEB609F15D884B65FFA4EF44320F08C59FDD594B652D271E458CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 069419ED
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.257679766.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 71944ee26436aaa5f4ea2b5cabc7f6145a04272f8db4e2c88c516c795cfc95c1
                                                        • Instruction ID: b52723f1b3087a2381e6263fc6500c05589b8448d359d6105d11c1f8ffc7f2eb
                                                        • Opcode Fuzzy Hash: 71944ee26436aaa5f4ea2b5cabc7f6145a04272f8db4e2c88c516c795cfc95c1
                                                        • Instruction Fuzzy Hash: 8601AD36810700DFEB20DF55D884B25FFA4FF08320F18C49ADD994B652D276A458CFA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: LongWindow
                                                        • String ID:
                                                        • API String ID: 1378638983-0
                                                        • Opcode ID: 022d85f372714fab8f0d789b4c6eed07b7be5ff68ae072ae29e5c61ff8864012
                                                        • Instruction ID: 9027aca9a3470e2bde40ea77405a5c4a60fd1aead49dfc544cf3a0f9f762271b
                                                        • Opcode Fuzzy Hash: 022d85f372714fab8f0d789b4c6eed07b7be5ff68ae072ae29e5c61ff8864012
                                                        • Instruction Fuzzy Hash: 0801F431424604DFDB21CF59D884B65FFA0EF14720F08C49ADD9A4B256C3B5A408CFB2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        APIs
                                                        • SetErrorMode.KERNELBASE(?), ref: 022BA480
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253015627.00000000022BA000.00000040.00000001.sdmp, Offset: 022BA000, based on PE: false
                                                        Similarity
                                                        • API ID: ErrorMode
                                                        • String ID:
                                                        • API String ID: 2340568224-0
                                                        • Opcode ID: 447e26d8be88d78e02dbe9fdbb8bfc481684bd3beb3d60ffa923337b684dcfa8
                                                        • Instruction ID: 233f7425b29ea9947bc761f82e24e39aaf7998068792c19a92be458540711587
                                                        • Opcode Fuzzy Hash: 447e26d8be88d78e02dbe9fdbb8bfc481684bd3beb3d60ffa923337b684dcfa8
                                                        • Instruction Fuzzy Hash: B0F0C2758242448FDB11CF55E8887A5FFB4EF44320F08C0AADD994B35AD3B9A408CEA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: |m%r
                                                        • API String ID: 0-375019708
                                                        • Opcode ID: a287e1266dbf5665ab7a575ef9561460a3490cbccf92a2c6c782f6fe2d6e94b5
                                                        • Instruction ID: 72ad5650d9e461b519b209aad869e1d9cd383a6bfdd86f91af2ad3d5f0d02432
                                                        • Opcode Fuzzy Hash: a287e1266dbf5665ab7a575ef9561460a3490cbccf92a2c6c782f6fe2d6e94b5
                                                        • Instruction Fuzzy Hash: C9B1E234E80318DBEB14DFA9D854BADBBB2BF89700F208529D515BB384CBB15989CF15
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: '
                                                        • API String ID: 0-1997036262
                                                        • Opcode ID: c7a9d9f9681a0a1277a791ff089b7f2d02545a176dc18f75603ba1e5fb2598d4
                                                        • Instruction ID: 62b4914a581bee8b60c57b27b8338ba4503bcef200da923f1e8f66c15e47badd
                                                        • Opcode Fuzzy Hash: c7a9d9f9681a0a1277a791ff089b7f2d02545a176dc18f75603ba1e5fb2598d4
                                                        • Instruction Fuzzy Hash: 7641D334A402288FDB54CF68C994BD9B7B2FB49304F5184E5D54DAB364CB31AE95CF40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: H'r
                                                        • API String ID: 0-336914518
                                                        • Opcode ID: 8205f23f8e155d306b04943dc209634aa7aa289d9546e0ccf4d2a4aa60aadc9f
                                                        • Instruction ID: 7972953cbec2beebd39fbf89400874d0777cd8234bddfded8ae3f2d8152d074b
                                                        • Opcode Fuzzy Hash: 8205f23f8e155d306b04943dc209634aa7aa289d9546e0ccf4d2a4aa60aadc9f
                                                        • Instruction Fuzzy Hash: 8A41D074940628DFDB65DF64DC88AD9BBB2BF89300F1085E5D909A7261CB316E94CF40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: "
                                                        • API String ID: 0-123907689
                                                        • Opcode ID: 659973a4a08ad110963c589046627dffdb3277b2370d9ee2f9b15e2af90b5d2e
                                                        • Instruction ID: 7201757e2c3bc1b17afb8e40cfee9124b1f940bff50c59d38891176cdee685c6
                                                        • Opcode Fuzzy Hash: 659973a4a08ad110963c589046627dffdb3277b2370d9ee2f9b15e2af90b5d2e
                                                        • Instruction Fuzzy Hash: 0B31AB31D01629CFCF26CF94D858ADDBBB2AF4A315F4044A5E549BB260C771AA9ACF40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %
                                                        • API String ID: 0-2567322570
                                                        • Opcode ID: 667917d2fe7cfadd9e044e28638325ecd7c467d91b2ed80efe226923af301bd1
                                                        • Instruction ID: fcc9e434cb2d20b6259e3bc1050e766ccceb716f0c8c4b1bdb906330566c3727
                                                        • Opcode Fuzzy Hash: 667917d2fe7cfadd9e044e28638325ecd7c467d91b2ed80efe226923af301bd1
                                                        • Instruction Fuzzy Hash: F9219A70D04298CFDB15DFA9D8283DEBBF6EF8A300F1484AAC089AB294D7349945CF41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %
                                                        • API String ID: 0-2567322570
                                                        • Opcode ID: cc364d2c20477569ae9aff0f775d93aa12c9c59bef7eed1cd43020e182be9dc2
                                                        • Instruction ID: a3ca80474a030ad2bddd4d615cc7135a13bf4675b3ec35050a6276a1a28c5964
                                                        • Opcode Fuzzy Hash: cc364d2c20477569ae9aff0f775d93aa12c9c59bef7eed1cd43020e182be9dc2
                                                        • Instruction Fuzzy Hash: 0A111670D04268CBDB58DFE9D85879EBBF6EB89301F1084A9C449AB284D7748985CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 94c0cde259c12da091d2b7b55133ca30bbb378741b3166bd31399c2c9b1974a8
                                                        • Instruction ID: 487dc4055cd8448aed3044ba7e0def959086045c0dae93d4d6ff10f9d64601a4
                                                        • Opcode Fuzzy Hash: 94c0cde259c12da091d2b7b55133ca30bbb378741b3166bd31399c2c9b1974a8
                                                        • Instruction Fuzzy Hash: DD71AFB4E05208DFDB54DFE9D8986ADBBB6FF89304F208169D809A7354DB345982CF11
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f93d9642ce284b847112c7e09f1b0de594140e3aa2582f0f72fc0ae5e7dc2acf
                                                        • Instruction ID: 4d49f19d6bd8619cf29b5a172e1a3f8f98c25e0819c680ad19ebdf5187f53191
                                                        • Opcode Fuzzy Hash: f93d9642ce284b847112c7e09f1b0de594140e3aa2582f0f72fc0ae5e7dc2acf
                                                        • Instruction Fuzzy Hash: 3E61E2B4D01209DFCB04DFA9D8986AEBBF6FF49301F20856AE819AB351DB745942CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6c07a63b65da3e0d42607fdf721cd4f54c8a4b18a5fd7ca75050a053a90579ed
                                                        • Instruction ID: 3b39f01ffb1f1b63794cf6025ebc78b7ee8ee12f13da055f043e80bdf78b2c79
                                                        • Opcode Fuzzy Hash: 6c07a63b65da3e0d42607fdf721cd4f54c8a4b18a5fd7ca75050a053a90579ed
                                                        • Instruction Fuzzy Hash: E2513470D05218CBCB00CFA9C994BEEBBB6EF49324F109665E415B7391DB3A8981CF65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 59b398a0e9079a1b71dba45355f6801234f808e6f0969f7d30cdc3950287e5a4
                                                        • Instruction ID: 862ed4796f8ffe522125af221f897c8898e12e35889e62259fd384c5e415c08a
                                                        • Opcode Fuzzy Hash: 59b398a0e9079a1b71dba45355f6801234f808e6f0969f7d30cdc3950287e5a4
                                                        • Instruction Fuzzy Hash: 4551B2B0D05208CFCB04CFA9C9946AEFBF6FF89300F24956AD819A7256D7749985CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2086d35fbd5f5d108d8f1f3881b73dbd97f30a41d75d9fd2eee0582c1de7b89a
                                                        • Instruction ID: ec027635559a402b250e6bb21032f777368088bc0ae826193d3b900ee6c3d090
                                                        • Opcode Fuzzy Hash: 2086d35fbd5f5d108d8f1f3881b73dbd97f30a41d75d9fd2eee0582c1de7b89a
                                                        • Instruction Fuzzy Hash: 4641F2B4D05219CFDF60CFA9C594AEEBBB6FB49310F20942AD819B7251D7349A86CF00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9afd278b840eeb535c68f7264de09c333cd6d680444f6916fa49aa8184a384ff
                                                        • Instruction ID: 13384486d4f2502f317b47c0c38aa7c9fcd0e670ed3188780995ca209f5bc032
                                                        • Opcode Fuzzy Hash: 9afd278b840eeb535c68f7264de09c333cd6d680444f6916fa49aa8184a384ff
                                                        • Instruction Fuzzy Hash: 5E314E30B042958FCB11DBBC88606AE7FB6EF85700F1445AAD845DB252CF704D06C7A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bacb56998fd0d7460fdec5d6d1d19e0d6618aea336343b291d1fe61658d7248a
                                                        • Instruction ID: c835c1b4899b1f24ee3e4c03df62fe3c55f41f131deedfea48f39aca627a98cd
                                                        • Opcode Fuzzy Hash: bacb56998fd0d7460fdec5d6d1d19e0d6618aea336343b291d1fe61658d7248a
                                                        • Instruction Fuzzy Hash: 0021607084E3C59FC7079B74987A3A9BFB4EF03204F4958EAC081AB193C6B81485CB56
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f06345683a9a7149a14b827e89ce5b16c193dae596462c8885461138062c557c
                                                        • Instruction ID: 4c7a063cdd13d0c3729897f39e2ad5b520be1feac5e9c8409452ba51c43601ea
                                                        • Opcode Fuzzy Hash: f06345683a9a7149a14b827e89ce5b16c193dae596462c8885461138062c557c
                                                        • Instruction Fuzzy Hash: 1021BFB6508300AFD720CF59EC41957FFE8EB89630F08C96FFD599B211D235A8048BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a0828e61c58f8a9f809f2f7c97619533e4350b73adea6be35553fe126bdb234f
                                                        • Instruction ID: 82600c11bc2add3c01021f7df2891d750dbd86228abe029dc19bbac4f2a438f8
                                                        • Opcode Fuzzy Hash: a0828e61c58f8a9f809f2f7c97619533e4350b73adea6be35553fe126bdb234f
                                                        • Instruction Fuzzy Hash: 2C218DB6509740AFD710CF19EC81A57FBE8FB89720F04C96FFD599B211D235A9048BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a3e550b2d9034263b4c8a1884c41cff9231680fddb6629fe73609ee7a4693588
                                                        • Instruction ID: 0ceb83fa79b6be1bbbcf392eff264e3046a38d128989e370437091e1c6feab35
                                                        • Opcode Fuzzy Hash: a3e550b2d9034263b4c8a1884c41cff9231680fddb6629fe73609ee7a4693588
                                                        • Instruction Fuzzy Hash: 9621C4B6504704BFD7108E19DC41E67FFA8EB85770F08C96EFD499B211D135B9048BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a7b536074af9ffc9cf30049ef17958dfd8c201bfabb4a2ebc6c2f02c339bc999
                                                        • Instruction ID: 0989910c93a443d263352a29131343fcb46a6e5673057809bb76980715adbb16
                                                        • Opcode Fuzzy Hash: a7b536074af9ffc9cf30049ef17958dfd8c201bfabb4a2ebc6c2f02c339bc999
                                                        • Instruction Fuzzy Hash: 7C218DB6509340AFD710CF19EC41A57FFE8EB89620F04C96FFD999B211D231A904CBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 61ae793ce5e59aec9dd372d23b9fc8ba1316aeaac9c471a467d8b1df28c96bbc
                                                        • Instruction ID: 900f411a095e83e51e8dd78699f5f18a294fed1c8ee6df369cd06abe28957eef
                                                        • Opcode Fuzzy Hash: 61ae793ce5e59aec9dd372d23b9fc8ba1316aeaac9c471a467d8b1df28c96bbc
                                                        • Instruction Fuzzy Hash: C021B2B65493047FD7108E16DC41E67FBA8EB85630F18C96AFD499B211D135B8048BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 24a3dfc91f1e3eb08c2e02dca925252e8fe638cdede0cbb3741520bedf80d20f
                                                        • Instruction ID: 1b122aa22f8e5b3a78f0f3d860801f60652c9c79564d19a1e2b362b0d732b1fb
                                                        • Opcode Fuzzy Hash: 24a3dfc91f1e3eb08c2e02dca925252e8fe638cdede0cbb3741520bedf80d20f
                                                        • Instruction Fuzzy Hash: 443118B550E3C19FD302CF258850956BFF4EF8A614F1989DFE8C8DB252D2759908CB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e2a221827062d4fe557c48aac7dbf553273f32b2a64541435e09e74907c6869e
                                                        • Instruction ID: 10182a8b177cce333d10422095ecf4b61aa8efb40fc7292a693636434af72301
                                                        • Opcode Fuzzy Hash: e2a221827062d4fe557c48aac7dbf553273f32b2a64541435e09e74907c6869e
                                                        • Instruction Fuzzy Hash: 6821C2B65052047FD7108E5AAC45E67FFA8EB85730F08C96AFD099B211D275B8148BA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ef2fe8bde280bf9f6ebc9f369e0670316a59200129e7e37e0f04c884ebdab750
                                                        • Instruction ID: e15fbfe7aedfeb7e6ebb1ebcaefdc71b297c83c7a8dcc5d61c3cf75420082b43
                                                        • Opcode Fuzzy Hash: ef2fe8bde280bf9f6ebc9f369e0670316a59200129e7e37e0f04c884ebdab750
                                                        • Instruction Fuzzy Hash: C3214CB6548300AFD210CF0AEC41A57FBE8EB88630F14C92EFD5997301D275A9148BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e8ad0de4e2ceb869c72ee7f3136da4eddc2a724b800654066e93cf1f8818c6a7
                                                        • Instruction ID: 5b918491c414fed8d3bb810a2d380e8ff7571bef9dc4bd336e7d1f0d890d7ad7
                                                        • Opcode Fuzzy Hash: e8ad0de4e2ceb869c72ee7f3136da4eddc2a724b800654066e93cf1f8818c6a7
                                                        • Instruction Fuzzy Hash: 26214CB6548700AFD210CF0AEC41A57FBE8EB88630F14C92EFD5997301D271A9148BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1e55a27ffb7d76c5bc5beaaaf0095e00c8e59b667a3b995f51922c7d4c82f75d
                                                        • Instruction ID: e9325270d1eff438c67776873879c7edbce1afb283271b29c17d1969ca74b732
                                                        • Opcode Fuzzy Hash: 1e55a27ffb7d76c5bc5beaaaf0095e00c8e59b667a3b995f51922c7d4c82f75d
                                                        • Instruction Fuzzy Hash: D6214CB6548300AFD210CF0AEC41A57FBE8EB88630F14C92EFD5997301D271A9148BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5307bdf3695ffc2b5555217ea9950618163aec0bfc2b482a6c14a907c574f890
                                                        • Instruction ID: 162d1e06c1af5d82b31e86fccb78435eb7559fb5177c959ce5fc6ccb77f7cb9f
                                                        • Opcode Fuzzy Hash: 5307bdf3695ffc2b5555217ea9950618163aec0bfc2b482a6c14a907c574f890
                                                        • Instruction Fuzzy Hash: 3A21DDB0D15219CFDB08DFE8E8987FEBBB4EB0A305F505929D406B3241D7749A90CB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 83545b3e94d4b64ffad95aeeb569f332a214bbdb82ef3b2f64234d6f85b06560
                                                        • Instruction ID: fc05425cc8ca2ab4a0670980fcfc37aca05afa653a01d7a3fc6b1fd589b18883
                                                        • Opcode Fuzzy Hash: 83545b3e94d4b64ffad95aeeb569f332a214bbdb82ef3b2f64234d6f85b06560
                                                        • Instruction Fuzzy Hash: FC21EFB0C15219CFCB08DFE8E8A87FEBBB4EB0A301F502969D405B7241D7749A91CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 868de44192022abf18e82ac621b56a457c2bc03611552c4a6eef290bf8d8f083
                                                        • Instruction ID: 7a0846af0f0eb9c54ef70176ae8bcd05e98871d48425038adf307fa588e4e67c
                                                        • Opcode Fuzzy Hash: 868de44192022abf18e82ac621b56a457c2bc03611552c4a6eef290bf8d8f083
                                                        • Instruction Fuzzy Hash: 4F11E672544200BFE2108F0AEC41E67FBE8EB84670F14C92FFD099B301D276B4148BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e31a98d221862eef9cd836b6008057d9c8eab479b602f98f0ab88e7f21efc671
                                                        • Instruction ID: c04674f3bfcfecdf352d900c54a675acc8e46778ad139b1f6876c0049f576a6f
                                                        • Opcode Fuzzy Hash: e31a98d221862eef9cd836b6008057d9c8eab479b602f98f0ab88e7f21efc671
                                                        • Instruction Fuzzy Hash: 6C11D3B2544200BFE6108F0AEC41E67FBE8EB84630F14C92AFD095B301D272B4148AA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ea744aef7f1932c63535a402f661eb47e046c820b265ce9c826ecbb7a483cb49
                                                        • Instruction ID: 9f973fd18818b43a4d43dfaff42d18e50dbdb93f2f308af56922e5aa10c1d6e8
                                                        • Opcode Fuzzy Hash: ea744aef7f1932c63535a402f661eb47e046c820b265ce9c826ecbb7a483cb49
                                                        • Instruction Fuzzy Hash: 402151B550D3816FD702CF25DC51956BFF4EF86620F0989DBF8889B253D235A904CB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 26d7e1a12bfa2b4016112f5ffb6dbf090d07aa7149ffe8c153b3527b18b695e2
                                                        • Instruction ID: a82882513ed405ae2e92bea6dfdd49b6b13ac92a28720823fb8402c4f6568c76
                                                        • Opcode Fuzzy Hash: 26d7e1a12bfa2b4016112f5ffb6dbf090d07aa7149ffe8c153b3527b18b695e2
                                                        • Instruction Fuzzy Hash: EE11A372654604BFE6108E0AAC41E62FB99EB84A30F18C96BFD095A201D176B9148AA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 227a59e6102b4650efd9e8619080d11e265af7691cf509655af175eaaa0e99d9
                                                        • Instruction ID: 7dec7cb96ea0f6be74247d42ace757bf7ca1db6540eef90c6f5ba3c2fc7ff6bc
                                                        • Opcode Fuzzy Hash: 227a59e6102b4650efd9e8619080d11e265af7691cf509655af175eaaa0e99d9
                                                        • Instruction Fuzzy Hash: 01212478D04219CFCB05DFA9D8545EEBBB6FF89300F2085A9D811A7355DB385A41CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253219965.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1f0c1ff280ef67b1ac63ebb48ef0bb1e87ad1e3a4dc5a01940d7e68c19086a39
                                                        • Instruction ID: b355b4200be9f9d35109985563dbc5d71f5047a0f6931b27ed90c146595b8e99
                                                        • Opcode Fuzzy Hash: 1f0c1ff280ef67b1ac63ebb48ef0bb1e87ad1e3a4dc5a01940d7e68c19086a39
                                                        • Instruction Fuzzy Hash: 1E11C034204244DFD71ACF24C985B66FB95EF88708F24C59CEA495BE52C77BD803CA51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253219965.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 256265611941794807859661c2da0c72119451b5147bcca4531cc22183027186
                                                        • Instruction ID: 8a9b2a87a5caf80f22dbebf8fd61a43f3a94858c1fc3ba161c2cea752ded5153
                                                        • Opcode Fuzzy Hash: 256265611941794807859661c2da0c72119451b5147bcca4531cc22183027186
                                                        • Instruction Fuzzy Hash: B8219F351093C49FD707CF24C890B56BFB5AF47314F2986DAD5888BA63C33A9806CB52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0c6bed0cf787d992ed0110b321bb6740f578a44044a71d876c9d5efd01251dac
                                                        • Instruction ID: c6845566d045c74fab0769da3e5735d69c0f694c3b42d1ece147ce01a0188771
                                                        • Opcode Fuzzy Hash: 0c6bed0cf787d992ed0110b321bb6740f578a44044a71d876c9d5efd01251dac
                                                        • Instruction Fuzzy Hash: 0311A4B5909301AFD350CF19D881A5BFBE4FB88660F04896EF998D7311E275E9148FA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 94a792a1ce69607fb8672d7e4cbcb20aa8de5a7bb990463046eb99592391c7db
                                                        • Instruction ID: 5c107586d090d6fa904d3bce65ac87708a4da01b5b1297836535eac6a07d4d3d
                                                        • Opcode Fuzzy Hash: 94a792a1ce69607fb8672d7e4cbcb20aa8de5a7bb990463046eb99592391c7db
                                                        • Instruction Fuzzy Hash: 9C21AE74D0420ADFCB04DF99C595AAEBBB5FB48300F208169D945BB351DB34AA40CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 079df807d9fa900eb1f9ee86f74248c9ada64a0668ca9bf897d6cbbc094da28f
                                                        • Instruction ID: f80227ba6779e503cc0d8f5c4e4d05164b3bdad0a49eb5f0db17fc011ba5c3f7
                                                        • Opcode Fuzzy Hash: 079df807d9fa900eb1f9ee86f74248c9ada64a0668ca9bf897d6cbbc094da28f
                                                        • Instruction Fuzzy Hash: F121D3B4D40218CFDB54DFA8E498AACBBB1FF09305F2085A9E40AA7311DB749981CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b6af4885b341a3b67ba0f989cc891138f5e2b25ede20ab4823a1fd4b8f5dd1a3
                                                        • Instruction ID: 7a5035064078879773298aec4d1e9fb4793cceba66711df71dbce2a6a31f7e68
                                                        • Opcode Fuzzy Hash: b6af4885b341a3b67ba0f989cc891138f5e2b25ede20ab4823a1fd4b8f5dd1a3
                                                        • Instruction Fuzzy Hash: 1E012D70C96208DFCB08EBB4D46A7BEBAB8EB46305F10AC79D00673641DBB51594CB45
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b30918a08869abad3d6abaafa142f19a823cf09dab525b7cde3f624499a9ed81
                                                        • Instruction ID: 9ec903471fc78fdb56c54a8c9784390a2813628c39cf8f4d99275e4bce4d5a0e
                                                        • Opcode Fuzzy Hash: b30918a08869abad3d6abaafa142f19a823cf09dab525b7cde3f624499a9ed81
                                                        • Instruction Fuzzy Hash: 0501D4B240E3C06FE7124B655C55AA2FF78EF43620F0C85CBE9849F193D1166919C7A2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253219965.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a7d8395c6828c194552c86c112ad939c45d37cd09e2372b73096279d46167ee1
                                                        • Instruction ID: e23f814fb7b24ecc512194fd79782f28af50ac3d7ee61496d6657ed32830ed6e
                                                        • Opcode Fuzzy Hash: a7d8395c6828c194552c86c112ad939c45d37cd09e2372b73096279d46167ee1
                                                        • Instruction Fuzzy Hash: A4018BB65097805FD7118F16DC41863FFF8EF86620749C49FEC8987612D265A905CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d348aa06f15431d1084e7ea30d88bc67362ba3a4f9e838d2cc1dd784887f5a15
                                                        • Instruction ID: a5b289df11cbb518a41e7f6e4473adb6fa9e3b601428f4d2d174f279072e3c37
                                                        • Opcode Fuzzy Hash: d348aa06f15431d1084e7ea30d88bc67362ba3a4f9e838d2cc1dd784887f5a15
                                                        • Instruction Fuzzy Hash: 070148B0C092099FCB04DFE8C9148ADBBF1EB45300F5081AAD448B7251DB34AA50CF62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b8426e0b9310af51ea66efbf3ffcff5e22c6629c2141de11cfdddd2f0e45e928
                                                        • Instruction ID: 7da7867d52fc5b83be1fc9c36d21076cb844eb9f0c40bdfaf7e5d1dc9abe4cf4
                                                        • Opcode Fuzzy Hash: b8426e0b9310af51ea66efbf3ffcff5e22c6629c2141de11cfdddd2f0e45e928
                                                        • Instruction Fuzzy Hash: 9EF09070E04208EFDB54EFFDD454AAEBBBAEF85300F2084A99805A3344DF319A50CB85
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4669f074766e4a7106b4db30f76cef484441ea1a519e6c22e2e3fa6065e1783e
                                                        • Instruction ID: 98c569734d17f9d9c968cec804238906be11c1ea07265d2e8cc9b0146f6c4e3a
                                                        • Opcode Fuzzy Hash: 4669f074766e4a7106b4db30f76cef484441ea1a519e6c22e2e3fa6065e1783e
                                                        • Instruction Fuzzy Hash: 5701E4B0D052099FCB08DFE8D9449AEBBF5EB48300F5081A9D448B3351DB30AA50CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d9d9367328d979c0c72d413a9de7b717dae56e2276d6edcbf10a111c59c93ef0
                                                        • Instruction ID: b7165a9edd332c397586803f21cf9d6aa2a05bb656cfac4efe30d21a78677284
                                                        • Opcode Fuzzy Hash: d9d9367328d979c0c72d413a9de7b717dae56e2276d6edcbf10a111c59c93ef0
                                                        • Instruction Fuzzy Hash: 9E01C434A40618CFEB50CFA4D8A8AD9B7B1EB49301F5044E5E50DAB364CB30AE95CE41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 80212459a2dc265942e447a2e69bd09f76204c3a7564b1a93860183a206eb3c3
                                                        • Instruction ID: 9fe97be0b464db2d38cee1782bb545489c2a975abdadbc0ab8b22bcf13b91732
                                                        • Opcode Fuzzy Hash: 80212459a2dc265942e447a2e69bd09f76204c3a7564b1a93860183a206eb3c3
                                                        • Instruction Fuzzy Hash: C4F0ECB3E41204ABD1109F05AC55F56F798FB95630F18C97BEC085F701E17165148AA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 402dee2f8406cea4b86e39b4bdf351120f1d3bc691fab90f2b5ecb03b084d7ac
                                                        • Instruction ID: 0f789aedff4864e99cf80d248829db3be95c390b384f66c396085422b5e8cdd8
                                                        • Opcode Fuzzy Hash: 402dee2f8406cea4b86e39b4bdf351120f1d3bc691fab90f2b5ecb03b084d7ac
                                                        • Instruction Fuzzy Hash: 75F0E270C492489FCB25DF64E86A9BEBF36EF07300F10C0AAEC446725AC7358A45CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253219965.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
                                                        • Instruction ID: e6523f9a4659e3a4948d508ed0edca34e2cda3336f31902ce95ed1c4d4ef6723
                                                        • Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
                                                        • Instruction Fuzzy Hash: 3AF01D35104645DFC706CF40D940B66FBA6EB89718F24C6ADE9490BB52C737D813DE81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ba56e82a455c539c66c39beaa0fe8523b46d8559e2b5f12840b33bc776cd6e5d
                                                        • Instruction ID: 168d4ed52d8667e637fbfa6beb1fcc84723b1e21126b03175d53695e5188852d
                                                        • Opcode Fuzzy Hash: ba56e82a455c539c66c39beaa0fe8523b46d8559e2b5f12840b33bc776cd6e5d
                                                        • Instruction Fuzzy Hash: 2CF05E70C05208EFCB02DFA4D0149AEBFB5EB46311F2081FAD84056211D7750A91DF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253219965.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5ecce6caee08896304c48a2d6f88c5b2ffbd02802f95b5082d69e30ac05dac94
                                                        • Instruction ID: f84217382241662f103653b142904f83811b3a8bc1bada1c67c45fa4cd651028
                                                        • Opcode Fuzzy Hash: 5ecce6caee08896304c48a2d6f88c5b2ffbd02802f95b5082d69e30ac05dac94
                                                        • Instruction Fuzzy Hash: 8AE092B66046004BD650CF0AEC81462F7D8EB84730B58C47FDC0D8B701E535B504CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 11f3ba18aaf6afd5733131783cdc139daac2cb23967bb707232f8fe319126826
                                                        • Instruction ID: 3fe912df33a4dd1e399c1f59d9b69d54e6095d78fa7b4582859c6cdcbbad224c
                                                        • Opcode Fuzzy Hash: 11f3ba18aaf6afd5733131783cdc139daac2cb23967bb707232f8fe319126826
                                                        • Instruction Fuzzy Hash: 4DE0687184A208EFC701DBB0D4089D53B38EB03300F0440EAEC4467232E776AA65DBB2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5f03c2c84c6fa43892878358982d09f26badc5789362bffbaeaaf218e276e8a7
                                                        • Instruction ID: 58bbfc3949d3a8a3fd7e7be53deda21084d191a46274eae7647f202d6f73a8b0
                                                        • Opcode Fuzzy Hash: 5f03c2c84c6fa43892878358982d09f26badc5789362bffbaeaaf218e276e8a7
                                                        • Instruction Fuzzy Hash: 79E0D8B25412006BE2109F0ADC82F23FB58EB90A30F04C56BED085B302E071B5148AE1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ff46ca87eaf5922f71ddc7a59ec05a16061fa77cf6c2d76bc5a24db8175e012e
                                                        • Instruction ID: 682811d9ba822bde7ca61dc1abb1a64bf7a6aee8d0a325179e59ae35c00309aa
                                                        • Opcode Fuzzy Hash: ff46ca87eaf5922f71ddc7a59ec05a16061fa77cf6c2d76bc5a24db8175e012e
                                                        • Instruction Fuzzy Hash: 82E0D8B25517006BE2109E0A9C82B23FB58EB80A30F04C567ED085B702E071B5148AE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 40e38ed0c4d432bdaef15fc2131efd09d68e0e4deba0c24d500224fffb8df2f8
                                                        • Instruction ID: fc88f8d611a9f188c68777ca958d569e44722f4b077581f52babef697cd0a142
                                                        • Opcode Fuzzy Hash: 40e38ed0c4d432bdaef15fc2131efd09d68e0e4deba0c24d500224fffb8df2f8
                                                        • Instruction Fuzzy Hash: 68E020B25413006BE6108F0ADC82B22FB9CEB44A30F44C567ED095F341E075B5048AE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 482d8a094ddc85783ec73c499ab6ceba6da0a2e2a67b8cf6775858bcbd18eb69
                                                        • Instruction ID: f889dac3e572bf41459e88250af9080839ba02bc5dc6bd6bc9d9b9aa23f00d8a
                                                        • Opcode Fuzzy Hash: 482d8a094ddc85783ec73c499ab6ceba6da0a2e2a67b8cf6775858bcbd18eb69
                                                        • Instruction Fuzzy Hash: 12E020B25413006BE2508F0BDC82B22FB5CEB80A30F44C567ED085F301E075B5148AE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 29d2c634df24ffaa1dfc670b9a0559aecfcd3e69999caf40c82a9fa6ec649ba0
                                                        • Instruction ID: 398c215544b84fb66f6b53a52e3f35b3e908f6324b8aab19fb9c687f6d2ee08c
                                                        • Opcode Fuzzy Hash: 29d2c634df24ffaa1dfc670b9a0559aecfcd3e69999caf40c82a9fa6ec649ba0
                                                        • Instruction Fuzzy Hash: 03E0D8B25416006BE2508F0A9C82F22FB58EB90A30F04C56BED085B302E071B5148AE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 81e030134c72f1ce31f047155ab55b01ce4010de70344e38f1a30edc57961bdf
                                                        • Instruction ID: b611948f3025d089dee28174ed2947b809c5e28ea8f0847078d25dd489eff8dc
                                                        • Opcode Fuzzy Hash: 81e030134c72f1ce31f047155ab55b01ce4010de70344e38f1a30edc57961bdf
                                                        • Instruction Fuzzy Hash: 97E020B29413006BE2108F0ADC82B23FB5CEB40E30F44C96BED085F302E076B5148AE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253027997.00000000022C2000.00000040.00000001.sdmp, Offset: 022C2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 77fc53f34214ec76e2bc00044b08668f9b5a5ee19a55851a2547d1cd6e7ece4c
                                                        • Instruction ID: a3c8f759ea1c23ace7e1a18004893cdb10de895331578bd9f673d710cc297800
                                                        • Opcode Fuzzy Hash: 77fc53f34214ec76e2bc00044b08668f9b5a5ee19a55851a2547d1cd6e7ece4c
                                                        • Instruction Fuzzy Hash: AEE0D8B25412006BE2108F0A9C86F23FB58EB90A30F04C56BED085B301E071B5148AE1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8953480db5985a1e9bad98d9f1a54e89188cc02d50d390843001ed8defb17363
                                                        • Instruction ID: 020d68f6b9d17a833e2c66dd0c4afe5a258f71a0c39adddcf393fc9923d1e14c
                                                        • Opcode Fuzzy Hash: 8953480db5985a1e9bad98d9f1a54e89188cc02d50d390843001ed8defb17363
                                                        • Instruction Fuzzy Hash: B4E04F70C49208EBC714EF94E85A6BEFF3EEB46301F109465AC0527346CB319A54DF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 38363ba1c23aef9c3c8f2e8110b1583b244b94a453f80264859458507b7d019e
                                                        • Instruction ID: 4a7d896b5e8389b07a466e25806b83acf58f6aabcc6b1b1c16b4dc991f709990
                                                        • Opcode Fuzzy Hash: 38363ba1c23aef9c3c8f2e8110b1583b244b94a453f80264859458507b7d019e
                                                        • Instruction Fuzzy Hash: ADE09230C4A248DFCB119FB894955ECBFB8DB07301F1010E9D44493212D6750A5ADB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b6cba7f752e158e6f286f27ae90f0456fe2f8e3b3070b4a0eaf4f9cca2adc12b
                                                        • Instruction ID: 073558cc88f770149152282ca938f48323941a058e10eb72f6e11e06923fe1d9
                                                        • Opcode Fuzzy Hash: b6cba7f752e158e6f286f27ae90f0456fe2f8e3b3070b4a0eaf4f9cca2adc12b
                                                        • Instruction Fuzzy Hash: 1EF03070D4A245AFCB15DFA4D4941DCBF75EB46300F1580E7D84497212C6794955CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0d87d25beaabba917331383f5c33a65b4dda0e20c9314b2a65f2c3708d10027b
                                                        • Instruction ID: 08d729e5e73be507b05d912bc32760dccc8e48c094051aca6f9970c75fff1be5
                                                        • Opcode Fuzzy Hash: 0d87d25beaabba917331383f5c33a65b4dda0e20c9314b2a65f2c3708d10027b
                                                        • Instruction Fuzzy Hash: A0F01534904208EFCF05DF98D8449ADBBB9EB48300F2084AAEC0963351C7329A61EF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d1fd76e68dfd86910a759a54a75f990365a882a493ba69067b246d685ac2de75
                                                        • Instruction ID: 5ecb081917b2b4efbc993ff9b03a779de666cd1b70d13f200f0281a6ed118d51
                                                        • Opcode Fuzzy Hash: d1fd76e68dfd86910a759a54a75f990365a882a493ba69067b246d685ac2de75
                                                        • Instruction Fuzzy Hash: 83E01A74D45208DFC744EFA4E44C9ADBBBAFB49305F2095B8D80963340DB712A54CF84
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 82c77ba0d2027c965e3a67149ba2f7ed65aa626413a53de8742ae09bd77c1845
                                                        • Instruction ID: b4bc06998639e7384b029116629cd73a73039615fdd696545081a6b2495f9ca6
                                                        • Opcode Fuzzy Hash: 82c77ba0d2027c965e3a67149ba2f7ed65aa626413a53de8742ae09bd77c1845
                                                        • Instruction Fuzzy Hash: 27F09D74D00259DFDB64DF68E998B9CBBB1FB49300F1089EAD50AA2254DB705E91CF10
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4167cd5b24644f189b86aee13aed4a4aabdb6cd4b4a4fb87b627709d4b8f1da6
                                                        • Instruction ID: 50450f7308dbf16bdf8483e2761306b400b93fcb091c86353f7e5dff5984930c
                                                        • Opcode Fuzzy Hash: 4167cd5b24644f189b86aee13aed4a4aabdb6cd4b4a4fb87b627709d4b8f1da6
                                                        • Instruction Fuzzy Hash: 9AE09A70C08244DFC705DBA8C0A82983FB4EF07200F1411E5D888A7322D6B05A16EB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b5bab202153db13719a72e63255d415db4eca9483eb78ad01ad66eb628fda910
                                                        • Instruction ID: 4722223769685fbd92b648f83b4a8ec6aeadd08681a401eedc0ce0f6d45c31d0
                                                        • Opcode Fuzzy Hash: b5bab202153db13719a72e63255d415db4eca9483eb78ad01ad66eb628fda910
                                                        • Instruction Fuzzy Hash: C6E01A74D04208EFCB04DFA8D554AACFBB9EB4A300F20C4AADC4467351CA369A52DF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5320d92949764661d83930175b9608f5cdfc832360a0c3aa084afac1fe61941d
                                                        • Instruction ID: fa865477a406faed6001860a9ffd8d24e784804a603b1146eeeb10f3a5e6c1ad
                                                        • Opcode Fuzzy Hash: 5320d92949764661d83930175b9608f5cdfc832360a0c3aa084afac1fe61941d
                                                        • Instruction Fuzzy Hash: 7FE02B7084E30CEFCB09DE74D91679AB7ADCB03700F0048B5D40563282DAF86E40CA62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3d3b9cb021f9baf890adcd0f36d1d59bc131733a05928b7df99833632dbfb6e7
                                                        • Instruction ID: 72b1553cf319933c881ab8a02f66d56019ef6658915dc20d25f987b91842f56c
                                                        • Opcode Fuzzy Hash: 3d3b9cb021f9baf890adcd0f36d1d59bc131733a05928b7df99833632dbfb6e7
                                                        • Instruction Fuzzy Hash: EEE04F34D08108EFC704DF98D4886ACFBB8EB48704F2084AAD80867341CB316E52CF40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e673dad14d0a79263eac384d4e3b2fbbe3a49cf6456a5f886966a597f0abe9a4
                                                        • Instruction ID: 752f7e6ae87cdbc991db6614372739b885f1eba0b5a5489cbeaab2c62942528a
                                                        • Opcode Fuzzy Hash: e673dad14d0a79263eac384d4e3b2fbbe3a49cf6456a5f886966a597f0abe9a4
                                                        • Instruction Fuzzy Hash: 5AE09274D05208EBCB04EFA8D4489AEBBB9EB88701F2081BAD84466341D7765A90DFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1e06d5311aa4569b174a3face7c98bbc7168c885b4bee257409952f8dc9f27c4
                                                        • Instruction ID: 71e9922c3a4056f1f8a8d3f24710f59e891702c8aa584a2889d617ee71f12c71
                                                        • Opcode Fuzzy Hash: 1e06d5311aa4569b174a3face7c98bbc7168c885b4bee257409952f8dc9f27c4
                                                        • Instruction Fuzzy Hash: 9CE09A30C49284EFC701DBE8D0681ADBFB8EF07201F1004E9CC8553292D6345920CB92
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 67422519acf1f96ca24ec868091a11f1a39e5770108e2604ce221d261bf38fa0
                                                        • Instruction ID: 56aeb4b1b98f00a9cb9d82b869841d37e7242dfc8e48b4a30f6142836d5bbdb5
                                                        • Opcode Fuzzy Hash: 67422519acf1f96ca24ec868091a11f1a39e5770108e2604ce221d261bf38fa0
                                                        • Instruction Fuzzy Hash: 60E0C23044620CEFC704EF94C5049997B6DEB05300F1041A8E80863331D772AA20DBB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e33fd4ae2c8d9d825747e2d4e4d6ab23eef373e38536a46ac0b6ae5906a2433c
                                                        • Instruction ID: c26122ed37ac7fec190c4f71b34505edc7e777f89753e76609b231042e87e75f
                                                        • Opcode Fuzzy Hash: e33fd4ae2c8d9d825747e2d4e4d6ab23eef373e38536a46ac0b6ae5906a2433c
                                                        • Instruction Fuzzy Hash: 9BE0EC74D45208EBCB14DFE8E4496ADFBB8EB84300F2081AADC1563351D7B55E54CF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1c38ee454de7bf5ffeebf902dec5839e236be196e7b7bedda9b8360986a371d5
                                                        • Instruction ID: cbd985a92ba676776f77fc4b0407e0285053575ce498ebe20439c6a5bcfcc324
                                                        • Opcode Fuzzy Hash: 1c38ee454de7bf5ffeebf902dec5839e236be196e7b7bedda9b8360986a371d5
                                                        • Instruction Fuzzy Hash: 1FE01734D54208DFC700EFA8D048AADBBB8EB05605F2041E8DC8467351DB716A94CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7e21b9fd30516e6fa673a9868ebca2a73381821e183d485bc711f3d4f700f40c
                                                        • Instruction ID: d0efe4f42872c67384887d5caa11d8bfc4d149e2f5b96090de15ad34647ca4be
                                                        • Opcode Fuzzy Hash: 7e21b9fd30516e6fa673a9868ebca2a73381821e183d485bc711f3d4f700f40c
                                                        • Instruction Fuzzy Hash: 3FD05E70C8620CDBDB00EFADE5896ACBFBDEB05701F2000E8E80463341EB751A54DB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 34a5215bb3d88542cfdb565cf13443c8ed0953f8b72d78e057872762cfcb1f44
                                                        • Instruction ID: b1430062f9eb9f53c6c25221bda129f167d1ca3bc828717a50810027af41a0c7
                                                        • Opcode Fuzzy Hash: 34a5215bb3d88542cfdb565cf13443c8ed0953f8b72d78e057872762cfcb1f44
                                                        • Instruction Fuzzy Hash: F1D01730C89208DBCB40EBA8E5096AEBBBCEB06211F2044A8980563382DB755A50CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bba4e7ef670f34de902adec0844880f5788406bc94269679f87c87cc9a339ab7
                                                        • Instruction ID: b65071331a8163e8c8b1acf6d000c08aceeea7d5655b800429c6755ff74ff51a
                                                        • Opcode Fuzzy Hash: bba4e7ef670f34de902adec0844880f5788406bc94269679f87c87cc9a339ab7
                                                        • Instruction Fuzzy Hash: 14D05E70C55309EBCB40EFA8E4896ACBBB9EB05701F2000A8D80563341DB701E94CB55
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 71a1bbe671472c0e185f92c97f123d56cd881355e8290bd846f01259a2d55add
                                                        • Instruction ID: c999231e96d49ff74b826b486b989b2c28147a4101f149c75434169de869f537
                                                        • Opcode Fuzzy Hash: 71a1bbe671472c0e185f92c97f123d56cd881355e8290bd846f01259a2d55add
                                                        • Instruction Fuzzy Hash: D5D0A970889208EFC344EFA8E408A6AB7BCE702201F2008A8940A232418B715A50CA64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d2ac4e2dcb5fdb05e12434d6b28bcfa19de25a1bc392ffc04850ad261b4e13e6
                                                        • Instruction ID: 9ff355da07f57d2f445743aa9ac9cd358f6c9589682e3dfdf212f5a073d934e5
                                                        • Opcode Fuzzy Hash: d2ac4e2dcb5fdb05e12434d6b28bcfa19de25a1bc392ffc04850ad261b4e13e6
                                                        • Instruction Fuzzy Hash: 57D0A97184A308DBCB08DAA8E0046AAB7BDDB02205F2004BC880A12281DF729E40CAA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 61350263f13ddc06c203627c7364321375d5b1b55ec820c3c691310daf8ce1c1
                                                        • Instruction ID: bb779bb23b9c32834b355f1b7ba2ebb300bc30466ac5e7af85fdf3e3313c548a
                                                        • Opcode Fuzzy Hash: 61350263f13ddc06c203627c7364321375d5b1b55ec820c3c691310daf8ce1c1
                                                        • Instruction Fuzzy Hash: ABD0137048610CD7C704D6A9D41567A7B5DD743604F10586B9445132519E751D10C799
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253007884.00000000022B2000.00000040.00000001.sdmp, Offset: 022B2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1a930efd943310d6e2a111c5aa79ca87a91ae0785519bc1e01078322af87329f
                                                        • Instruction ID: 3fb9ae37eae9e41ed92049f3dbd91c244d40c444b5a6410c9e4aa502a34f5a73
                                                        • Opcode Fuzzy Hash: 1a930efd943310d6e2a111c5aa79ca87a91ae0785519bc1e01078322af87329f
                                                        • Instruction Fuzzy Hash: 8CD05E79215B928FD3278A1CC1A8BD53FA4EF51B09F4644F9EC008BA67C368D5C1D200
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 073a545ba60cce8fd9ca3bfb05ab1f3bd941819699a023463f326ef381f7a1c2
                                                        • Instruction ID: bc85e4b3df670ed942ea9dc94af051f141f9b7525a1ebb2d85482a112edfde36
                                                        • Opcode Fuzzy Hash: 073a545ba60cce8fd9ca3bfb05ab1f3bd941819699a023463f326ef381f7a1c2
                                                        • Instruction Fuzzy Hash: D5E09274D01628CFCB66CF14DC50798B7B9AB08201F1010EAE40EAB710E7306F818F00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253007884.00000000022B2000.00000040.00000001.sdmp, Offset: 022B2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5ca06d6879692e6c52b06e037318b651fb8212bf7f3eb67ce88fb8da3abe7a8b
                                                        • Instruction ID: 1b7d3a91317ecf7567ddec143577544d442f67e236b6fff4702a64ade51e67bc
                                                        • Opcode Fuzzy Hash: 5ca06d6879692e6c52b06e037318b651fb8212bf7f3eb67ce88fb8da3abe7a8b
                                                        • Instruction Fuzzy Hash: D7D05E342113828BC716DB1CC194F9937D4AF41B04F0644E8BC008F266C3A4E8C1C600
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05bcb9c9c3cac8873384488e8fdbaf8adacf571fa53902ec93dbed4d5b440915
                                                        • Instruction ID: 4767c3b492d2b3d3951f289ca57834f3769454b73f3d01c01ab96f912e2a0e28
                                                        • Opcode Fuzzy Hash: 05bcb9c9c3cac8873384488e8fdbaf8adacf571fa53902ec93dbed4d5b440915
                                                        • Instruction Fuzzy Hash: D4D05EB0C44108DBDB00CF5CE09479CBBB5FB09304F1049E9D04593214D7718AD08F00
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0cd8d08b4f08aabb3a165a61696f4728c2eaf8bf9cc1f25a63bd93c70b6dde0d
                                                        • Instruction ID: a843b339eab4843c06b218763eaa55d64109b1143079b59c64a8c0e4912f9a63
                                                        • Opcode Fuzzy Hash: 0cd8d08b4f08aabb3a165a61696f4728c2eaf8bf9cc1f25a63bd93c70b6dde0d
                                                        • Instruction Fuzzy Hash: EAC09B210DA50941D154329D656D3B6F69DC755714F643D33570C155528DF55070C475
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ff0b688178e4e2790af37b63bfc5bfa6b7da65ca209f3c09b9899051ed757651
                                                        • Instruction ID: 452b807a23b70152abfc69bd28a0d6bf200ec75a858efe620cd22903b147d2de
                                                        • Opcode Fuzzy Hash: ff0b688178e4e2790af37b63bfc5bfa6b7da65ca209f3c09b9899051ed757651
                                                        • Instruction Fuzzy Hash: 6EB0927095025C8BDF10DF91C860AEEB332BF41300F20815AC55923AA887B05902CEA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: `5(r
                                                        • API String ID: 0-3683955166
                                                        • Opcode ID: 0ef096371c9e3bbaf3baf52f8742e805ab24ee92a7a49268505950515d21a9e1
                                                        • Instruction ID: 521fe792329193a727c0a3455988964f4212c6d1bca14f45a62915ee6cb7f166
                                                        • Opcode Fuzzy Hash: 0ef096371c9e3bbaf3baf52f8742e805ab24ee92a7a49268505950515d21a9e1
                                                        • Instruction Fuzzy Hash: 25515E70E0061ACFD745EFAAE94478EBBF2FF84304F24C569D109AB368EB7018568B51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.253199178.00000000023A0000.00000040.00000001.sdmp, Offset: 023A0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: `5(r
                                                        • API String ID: 0-3683955166
                                                        • Opcode ID: 8312412f0de01c95d20101c630cfac58a5cf84f127a3637fa68673eaf8543a0c
                                                        • Instruction ID: dae71af13ab9ddbe3490135f1cd5ee24296735cb0a4a4911b20584c16eb76450
                                                        • Opcode Fuzzy Hash: 8312412f0de01c95d20101c630cfac58a5cf84f127a3637fa68673eaf8543a0c
                                                        • Instruction Fuzzy Hash: C5516F70E00619CFD745EFAEE94478EBBF2FF84304F24C569D108AB268EB7018558B61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%