Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO4567328901.exe

Overview

General Information

Sample Name:PO4567328901.exe
Analysis ID:532821
MD5:0346606c84796f9a92803e29daecad72
SHA1:4fbae6bc6fe32fa19088ea77969f1c6de354d18c
SHA256:9c0608f3b43dc5252841b632ed93c76252e712464be27e8932e10c86f19a8f07
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PO4567328901.exe (PID: 7068 cmdline: "C:\Users\user\Desktop\PO4567328901.exe" MD5: 0346606C84796F9A92803E29DAECAD72)
    • PO4567328901.exe (PID: 4180 cmdline: {path} MD5: 0346606C84796F9A92803E29DAECAD72)
    • PO4567328901.exe (PID: 6124 cmdline: {path} MD5: 0346606C84796F9A92803E29DAECAD72)
    • PO4567328901.exe (PID: 3184 cmdline: {path} MD5: 0346606C84796F9A92803E29DAECAD72)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "zspamming@modularelect.com", "Password": "successman12@", "Host": "mail.modularelect.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.703382608.00000000035F9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.703382608.00000000035F9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000006.00000000.692121481.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000000.692121481.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000006.00000000.693283829.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.0.PO4567328901.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.0.PO4567328901.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.PO4567328901.exe.37766d8.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.PO4567328901.exe.37766d8.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    6.0.PO4567328901.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 6.0.PO4567328901.exe.400000.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "zspamming@modularelect.com", "Password": "successman12@", "Host": "mail.modularelect.com"}
                      Machine Learning detection for sampleShow sources
                      Source: PO4567328901.exeJoe Sandbox ML: detected
                      Source: 6.0.PO4567328901.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.0.PO4567328901.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.2.PO4567328901.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.0.PO4567328901.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.0.PO4567328901.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.0.PO4567328901.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: PO4567328901.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: PO4567328901.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Joe Sandbox ViewASN Name: CTRLS-AS-INCtrlSDatacentersLtdIN CTRLS-AS-INCtrlSDatacentersLtdIN
                      Source: Joe Sandbox ViewIP Address: 103.248.80.5 103.248.80.5
                      Source: global trafficTCP traffic: 192.168.2.4:49851 -> 103.248.80.5:587
                      Source: global trafficTCP traffic: 192.168.2.4:49851 -> 103.248.80.5:587
                      Source: PO4567328901.exe, 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: PO4567328901.exe, 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: PO4567328901.exe, 00000006.00000002.934476615.0000000002DD0000.00000004.00000001.sdmp, PO4567328901.exe, 00000006.00000002.932337607.0000000000BCD000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: PO4567328901.exe, 00000006.00000002.936469044.00000000067B0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: PO4567328901.exe, 00000006.00000002.934476615.0000000002DD0000.00000004.00000001.sdmp, PO4567328901.exe, 00000006.00000002.932337607.0000000000BCD000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: PO4567328901.exe, 00000006.00000002.934476615.0000000002DD0000.00000004.00000001.sdmp, PO4567328901.exe, 00000006.00000002.934511795.0000000002DDE000.00000004.00000001.sdmp, PO4567328901.exe, 00000006.00000002.932337607.0000000000BCD000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: PO4567328901.exe, 00000006.00000002.934476615.0000000002DD0000.00000004.00000001.sdmpString found in binary or memory: http://mail.modularelect.com
                      Source: PO4567328901.exe, 00000006.00000002.934476615.0000000002DD0000.00000004.00000001.sdmp, PO4567328901.exe, 00000006.00000002.934511795.0000000002DDE000.00000004.00000001.sdmp, PO4567328901.exe, 00000006.00000002.932337607.0000000000BCD000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: PO4567328901.exe, 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmpString found in binary or memory: http://pdvOKN.com
                      Source: PO4567328901.exe, 00000000.00000002.701668697.00000000025F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: PO4567328901.exe, 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmpString found in binary or memory: https://ngLbihuDlAdBVmL.net
                      Source: PO4567328901.exe, 00000006.00000002.934476615.0000000002DD0000.00000004.00000001.sdmp, PO4567328901.exe, 00000006.00000002.934511795.0000000002DDE000.00000004.00000001.sdmp, PO4567328901.exe, 00000006.00000002.932337607.0000000000BCD000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: PO4567328901.exe, 00000000.00000002.703382608.00000000035F9000.00000004.00000001.sdmp, PO4567328901.exe, 00000006.00000000.692121481.0000000000402000.00000040.00000001.sdmp, PO4567328901.exe, 00000006.00000000.691722265.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: PO4567328901.exe, 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.modularelect.com
                      Source: PO4567328901.exe, 00000000.00000002.698205061.0000000000840000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 6.0.PO4567328901.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b439F52F2u002d5D4Cu002d41FEu002d9909u002d814215E8D13Au007d/B5237BC9u002d09A6u002d4CFAu002dB911u002dF96F961E35D7.csLarge array initialization: .cctor: array initializer size 11944
                      Source: 6.0.PO4567328901.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b439F52F2u002d5D4Cu002d41FEu002d9909u002d814215E8D13Au007d/B5237BC9u002d09A6u002d4CFAu002dB911u002dF96F961E35D7.csLarge array initialization: .cctor: array initializer size 11944
                      Source: 6.2.PO4567328901.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b439F52F2u002d5D4Cu002d41FEu002d9909u002d814215E8D13Au007d/B5237BC9u002d09A6u002d4CFAu002dB911u002dF96F961E35D7.csLarge array initialization: .cctor: array initializer size 11944
                      Source: 6.0.PO4567328901.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b439F52F2u002d5D4Cu002d41FEu002d9909u002d814215E8D13Au007d/B5237BC9u002d09A6u002d4CFAu002dB911u002dF96F961E35D7.csLarge array initialization: .cctor: array initializer size 11944
                      Source: 6.0.PO4567328901.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b439F52F2u002d5D4Cu002d41FEu002d9909u002d814215E8D13Au007d/B5237BC9u002d09A6u002d4CFAu002dB911u002dF96F961E35D7.csLarge array initialization: .cctor: array initializer size 11944
                      Source: 6.0.PO4567328901.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b439F52F2u002d5D4Cu002d41FEu002d9909u002d814215E8D13Au007d/B5237BC9u002d09A6u002d4CFAu002dB911u002dF96F961E35D7.csLarge array initialization: .cctor: array initializer size 11944
                      Source: PO4567328901.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_008366600_2_00836660
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_008399A80_2_008399A8
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_0083C6500_2_0083C650
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_008398500_2_00839850
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_02391B600_2_02391B60
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_04B949080_2_04B94908
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_04B948FA0_2_04B948FA
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_00E754206_2_00E75420
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_00E71DD86_2_00E71DD8
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_00E777886_2_00E77788
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_00E740586_2_00E74058
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_00E78E686_2_00E78E68
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_00E777286_2_00E77728
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_010246A06_2_010246A0
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_010246906_2_01024690
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_0102DA006_2_0102DA00
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_05BDB6986_2_05BDB698
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_05BD66206_2_05BD6620
                      Source: PO4567328901.exe, 00000000.00000002.696340666.000000000018A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamen77Le.exe8 vs PO4567328901.exe
                      Source: PO4567328901.exe, 00000000.00000002.703382608.00000000035F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO4567328901.exe
                      Source: PO4567328901.exe, 00000000.00000002.703382608.00000000035F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamehQnJrSkBAwrlCsxArMyNaVDUxwGymTfmr.exe4 vs PO4567328901.exe
                      Source: PO4567328901.exe, 00000000.00000002.698205061.0000000000840000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO4567328901.exe
                      Source: PO4567328901.exe, 00000000.00000002.702851390.000000000292B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO4567328901.exe
                      Source: PO4567328901.exe, 00000000.00000002.701668697.00000000025F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs PO4567328901.exe
                      Source: PO4567328901.exe, 00000000.00000002.701668697.00000000025F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamehQnJrSkBAwrlCsxArMyNaVDUxwGymTfmr.exe4 vs PO4567328901.exe
                      Source: PO4567328901.exe, 00000000.00000002.705042510.0000000006DC0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO4567328901.exe
                      Source: PO4567328901.exe, 00000004.00000000.684917641.000000000021A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamen77Le.exe8 vs PO4567328901.exe
                      Source: PO4567328901.exe, 00000005.00000000.688549462.000000000018A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamen77Le.exe8 vs PO4567328901.exe
                      Source: PO4567328901.exe, 00000006.00000000.692792124.00000000006EA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamen77Le.exe8 vs PO4567328901.exe
                      Source: PO4567328901.exe, 00000006.00000000.692121481.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamehQnJrSkBAwrlCsxArMyNaVDUxwGymTfmr.exe4 vs PO4567328901.exe
                      Source: PO4567328901.exe, 00000006.00000002.932124392.0000000000AF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO4567328901.exe
                      Source: PO4567328901.exeBinary or memory string: OriginalFilenamen77Le.exe8 vs PO4567328901.exe
                      Source: PO4567328901.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: PO4567328901.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PO4567328901.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\PO4567328901.exe "C:\Users\user\Desktop\PO4567328901.exe"
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess created: C:\Users\user\Desktop\PO4567328901.exe {path}
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess created: C:\Users\user\Desktop\PO4567328901.exe {path}
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess created: C:\Users\user\Desktop\PO4567328901.exe {path}
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess created: C:\Users\user\Desktop\PO4567328901.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess created: C:\Users\user\Desktop\PO4567328901.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess created: C:\Users\user\Desktop\PO4567328901.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO4567328901.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\PO4567328901.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO4567328901.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/1@1/1
                      Source: C:\Users\user\Desktop\PO4567328901.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 6.0.PO4567328901.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.0.PO4567328901.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.0.PO4567328901.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.0.PO4567328901.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.2.PO4567328901.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.2.PO4567328901.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\PO4567328901.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: PO4567328901.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO4567328901.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_00106616 push edx; iretd 0_2_0010661F
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_00104D1A push ebx; ret 0_2_00104D1D
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_00107200 push edi; ret 0_2_0010720F
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_00106187 push cs; ret 0_2_00106188
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_001075B9 push eax; ret 0_2_001075BF
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_00105AA5 push cs; ret 0_2_00105B15
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_001049F1 push edx; ret 0_2_001049FB
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_00838570 push edx; iretd 0_2_0083872B
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 0_2_04B92A12 pushad ; ret 0_2_04B92A43
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 4_2_00194D1A push ebx; ret 4_2_00194D1D
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 4_2_00196616 push edx; iretd 4_2_0019661F
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 4_2_00197200 push edi; ret 4_2_0019720F
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 4_2_00196187 push cs; ret 4_2_00196188
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 4_2_001975B9 push eax; ret 4_2_001975BF
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 4_2_00195AA5 push cs; ret 4_2_00195B15
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 4_2_001949F1 push edx; ret 4_2_001949FB
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_00667200 push edi; ret 6_2_0066720F
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_00666616 push edx; iretd 6_2_0066661F
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_00664D1A push ebx; ret 6_2_00664D1D
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_006649F1 push edx; ret 6_2_006649FB
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_00665AA5 push cs; ret 6_2_00665B15
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_006675B9 push eax; ret 6_2_006675BF
                      Source: C:\Users\user\Desktop\PO4567328901.exeCode function: 6_2_00666187 push cs; ret 6_2_00666188
                      Source: PO4567328901.exeStatic PE information: 0xEB1F9274 [Sat Jan 1 10:07:48 2095 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.62123130094
                      Source: C:\Users\user\Desktop\PO4567328901.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: PO4567328901.exe PID: 7068, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: PO4567328901.exe, 00000000.00000002.702840287.0000000002924000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: PO4567328901.exe, 00000000.00000002.702840287.0000000002924000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PO4567328901.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PO4567328901.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\PO4567328901.exe TID: 7096Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exe TID: 6736Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exe TID: 6072Thread sleep count: 4884 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exe TID: 6072Thread sleep count: 4948 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeWindow / User API: threadDelayed 4884Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeWindow / User API: threadDelayed 4948Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO4567328901.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: PO4567328901.exe, 00000000.00000002.702840287.0000000002924000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: PO4567328901.exe, 00000000.00000002.702840287.0000000002924000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: PO4567328901.exe, 00000000.00000002.702840287.0000000002924000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: PO4567328901.exe, 00000000.00000002.702840287.0000000002924000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: PO4567328901.exe, 00000000.00000002.702840287.0000000002924000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: PO4567328901.exe, 00000000.00000002.702840287.0000000002924000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: PO4567328901.exe, 00000000.00000002.702840287.0000000002924000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: PO4567328901.exe, 00000000.00000002.702840287.0000000002924000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: PO4567328901.exe, 00000006.00000002.932337607.0000000000BCD000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8.8.8.8255.255.255.255
                      Source: PO4567328901.exe, 00000000.00000002.702840287.0000000002924000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess created: C:\Users\user\Desktop\PO4567328901.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess created: C:\Users\user\Desktop\PO4567328901.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeProcess created: C:\Users\user\Desktop\PO4567328901.exe {path}Jump to behavior
                      Source: PO4567328901.exe, 00000006.00000002.932865498.00000000013D0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: PO4567328901.exe, 00000006.00000002.932865498.00000000013D0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: PO4567328901.exe, 00000006.00000002.932865498.00000000013D0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: PO4567328901.exe, 00000006.00000002.932865498.00000000013D0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Users\user\Desktop\PO4567328901.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Users\user\Desktop\PO4567328901.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 6.0.PO4567328901.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO4567328901.exe.37766d8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.PO4567328901.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.PO4567328901.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.PO4567328901.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.PO4567328901.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.PO4567328901.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO4567328901.exe.3691858.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO4567328901.exe.37766d8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.703382608.00000000035F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.692121481.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.693283829.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.931868286.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.691722265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.692643912.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO4567328901.exe PID: 7068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: PO4567328901.exe PID: 3184, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\PO4567328901.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\PO4567328901.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\PO4567328901.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\PO4567328901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\PO4567328901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO4567328901.exe PID: 3184, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 6.0.PO4567328901.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO4567328901.exe.37766d8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.PO4567328901.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.PO4567328901.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.PO4567328901.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.PO4567328901.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.PO4567328901.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO4567328901.exe.3691858.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO4567328901.exe.37766d8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.703382608.00000000035F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.692121481.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.693283829.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.931868286.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.691722265.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.692643912.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO4567328901.exe PID: 7068, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: PO4567328901.exe PID: 3184, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Input Capture1Security Software Discovery211Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Credentials in Registry1Process Discovery2SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PO4567328901.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      6.0.PO4567328901.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      6.0.PO4567328901.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      6.2.PO4567328901.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      6.0.PO4567328901.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      6.0.PO4567328901.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      6.0.PO4567328901.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://mail.modularelect.com0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://pdvOKN.com0%Avira URL Cloudsafe
                      https://ngLbihuDlAdBVmL.net0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.modularelect.com
                      		103.248.80.5
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1PO4567328901.exe, 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.apache.org/licenses/LICENSE-2.0PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                              		high
                              http://DynDns.comDynDNSPO4567328901.exe, 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://sectigo.com/CPS0PO4567328901.exe, 00000006.00000002.934476615.0000000002DD0000.00000004.00000001.sdmp, PO4567328901.exe, 00000006.00000002.934511795.0000000002DDE000.00000004.00000001.sdmp, PO4567328901.exe, 00000006.00000002.932337607.0000000000BCD000.00000004.00000020.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/?PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bThePO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPO4567328901.exe, 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers?PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comlPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cThePO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-user.htmlPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://mail.modularelect.comPO4567328901.exe, 00000006.00000002.934476615.0000000002DD0000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleasePO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8PO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fonts.comPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleasePO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO4567328901.exe, 00000000.00000002.701668697.00000000025F1000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.sakkal.comPO4567328901.exe, 00000000.00000002.704667239.00000000066E2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPO4567328901.exe, 00000000.00000002.703382608.00000000035F9000.00000004.00000001.sdmp, PO4567328901.exe, 00000006.00000000.692121481.0000000000402000.00000040.00000001.sdmp, PO4567328901.exe, 00000006.00000000.691722265.0000000000402000.00000040.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://pdvOKN.comPO4567328901.exe, 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ngLbihuDlAdBVmL.netPO4567328901.exe, 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              103.248.80.5
                                              		mail.modularelect.comIndia
                                              		18229CTRLS-AS-INCtrlSDatacentersLtdINtrue

                                              General Information

                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                              Analysis ID:532821
                                              Start date:02.12.2021
                                              Start time:18:20:30
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 49s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:PO4567328901.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:18
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@7/1@1/1
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 1.2% (good quality ratio 0.8%)
                                              • Quality average: 43.2%
                                              • Quality standard deviation: 33.1%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 48
                                              • Number of non-executed functions: 3
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              18:21:32API Interceptor691x Sleep call for process: PO4567328901.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              103.248.80.5PO#67890345201.exeGet hashmaliciousBrowse
                                                New order.exeGet hashmaliciousBrowse
                                                  1089765423012021_inquiry.exeGet hashmaliciousBrowse
                                                    PO2018975601.exeGet hashmaliciousBrowse
                                                      Payment details.exeGet hashmaliciousBrowse
                                                        Purchase order.exeGet hashmaliciousBrowse
                                                          SOA.exeGet hashmaliciousBrowse
                                                            PO8805545321.exeGet hashmaliciousBrowse
                                                              Swift.exeGet hashmaliciousBrowse
                                                                PO801445976.exeGet hashmaliciousBrowse
                                                                  PO-101524309.exeGet hashmaliciousBrowse
                                                                    PO110629.exeGet hashmaliciousBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      mail.modularelect.comPO#67890345201.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      New order.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      1089765423012021_inquiry.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      PO2018975601.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      MT103_SWIFT ADVICE.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      Payment details.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      Purchase order.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      SOA.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      PO8805545321.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      Swift.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      PO801445976.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      PO-101524309.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      PO110629.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      Purchase order.exeGet hashmaliciousBrowse
                                                                      • 209.99.40.222
                                                                      PO#101873452021.exeGet hashmaliciousBrowse
                                                                      • 209.99.40.222

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      CTRLS-AS-INCtrlSDatacentersLtdINSecuriteInfo.com.Zum.Androm.1.23035.exeGet hashmaliciousBrowse
                                                                      • 219.90.65.155
                                                                      PO#67890345201.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      New order.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      1089765423012021_inquiry.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      Partial Shipment.exeGet hashmaliciousBrowse
                                                                      • 219.90.65.155
                                                                      PO2018975601.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      Payment details.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      Purchase order.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      SOA.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      Confirm.16451.xlsbGet hashmaliciousBrowse
                                                                      • 103.117.180.99
                                                                      PO8805545321.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      Swift.exeGet hashmaliciousBrowse
                                                                      • 103.248.80.5
                                                                      arm7Get hashmaliciousBrowse
                                                                      • 14.197.171.139
                                                                      BookingXConfirm-11401.xlsbGet hashmaliciousBrowse
                                                                      • 103.117.180.99
                                                                      06799.xlsbGet hashmaliciousBrowse
                                                                      • 103.117.180.99
                                                                      06799.xlsbGet hashmaliciousBrowse
                                                                      • 103.117.180.99
                                                                      Rooms_requirement.7149.xlsbGet hashmaliciousBrowse
                                                                      • 103.117.180.99
                                                                      Rooms_requirement.7149.xlsbGet hashmaliciousBrowse
                                                                      • 103.117.180.99
                                                                      Rooms_requirement 17757.xlsbGet hashmaliciousBrowse
                                                                      • 103.117.180.99
                                                                      Rooms_requirement 17757.xlsbGet hashmaliciousBrowse
                                                                      • 103.117.180.99

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO4567328901.exe.log
                                                                      Process:C:\Users\user\Desktop\PO4567328901.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1314
                                                                      Entropy (8bit):5.350128552078965
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                      MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                      SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                      SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                      SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                      Malicious:true
                                                                      Reputation:high, very likely benign file
                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.40179576148845
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      File name:PO4567328901.exe
                                                                      File size:615936
                                                                      MD5:0346606c84796f9a92803e29daecad72
                                                                      SHA1:4fbae6bc6fe32fa19088ea77969f1c6de354d18c
                                                                      SHA256:9c0608f3b43dc5252841b632ed93c76252e712464be27e8932e10c86f19a8f07
                                                                      SHA512:c54989f63f8629d7b3669614dd70ed6e9b6085988160617752f61737374e6c73632b13ed19a64dfd829a4a46f6facf76fed2fc192c0e133a07bb2701c384ae90
                                                                      SSDEEP:12288:3T+m3eYS8uhGwJvAvWx43TtOD4VHnymXlhGBGrq:QjGyAOx43hOEVHyQ1
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.................P..f............... ........@.. ....................................@................................

                                                                      File Icon

                                                                      Icon Hash:00130d31155d7e00

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x48851e
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                      Time Stamp:0xEB1F9274 [Sat Jan 1 10:07:48 2095 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:v4.0.30319
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x884d00x4b.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000xfb20.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x9a0000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000x865240x86600False0.810913880814data7.62123130094IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x8a0000xfb200xfc00False0.272305927579data3.44750366842IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x9a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_ICON0x8a1300xf4d8data
                                                                      RT_GROUP_ICON0x996080x14data
                                                                      RT_VERSION0x9961c0x314data
                                                                      RT_MANIFEST0x999300x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Version Infos

                                                                      DescriptionData
                                                                      Translation0x0000 0x04b0
                                                                      LegalCopyrightCopyright 2019
                                                                      Assembly Version1.0.0.0
                                                                      InternalNamen77Le.exe
                                                                      FileVersion1.0.0.0
                                                                      CompanyName
                                                                      LegalTrademarks
                                                                      Comments
                                                                      ProductNameConnectFour
                                                                      ProductVersion1.0.0.0
                                                                      FileDescriptionConnectFour
                                                                      OriginalFilenamen77Le.exe

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 2, 2021 18:23:24.557691097 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:24.701850891 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:24.702106953 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:25.797975063 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:25.798446894 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:25.942393064 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:25.942991018 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:26.090584993 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:26.140755892 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:26.152796984 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:26.311794996 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:26.311820030 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:26.311836004 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:26.311847925 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:26.311899900 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:26.316760063 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:26.353199005 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:26.497427940 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:26.547023058 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:26.842952013 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:26.987253904 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:26.988964081 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:27.134804010 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:27.135787010 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:27.301475048 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:27.302619934 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:27.446341991 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:27.449193001 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:27.603344917 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:27.604717016 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:27.749759912 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:27.751693010 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:27.751866102 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:27.752875090 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:27.752968073 CET49851587192.168.2.4103.248.80.5
                                                                      Dec 2, 2021 18:23:27.896327019 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:27.896359921 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:27.897241116 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:27.897253990 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:27.929757118 CET58749851103.248.80.5192.168.2.4
                                                                      Dec 2, 2021 18:23:27.984778881 CET49851587192.168.2.4103.248.80.5

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 2, 2021 18:23:24.428626060 CET5370053192.168.2.48.8.8.8
                                                                      Dec 2, 2021 18:23:24.448544979 CET53537008.8.8.8192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Dec 2, 2021 18:23:24.428626060 CET192.168.2.48.8.8.80x890bStandard query (0)mail.modularelect.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Dec 2, 2021 18:23:24.448544979 CET8.8.8.8192.168.2.40x890bNo error (0)mail.modularelect.com103.248.80.5A (IP address)IN (0x0001)

                                                                      SMTP Packets

                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                      Dec 2, 2021 18:23:25.797975063 CET58749851103.248.80.5192.168.2.4220-bom15.balasai.com ESMTP Exim 4.94.2 #2 Thu, 02 Dec 2021 22:53:27 +0530
                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                      220 and/or bulk e-mail.
                                                                      Dec 2, 2021 18:23:25.798446894 CET49851587192.168.2.4103.248.80.5EHLO 061544
                                                                      Dec 2, 2021 18:23:25.942393064 CET58749851103.248.80.5192.168.2.4250-bom15.balasai.com Hello 061544 [84.17.52.65]
                                                                      250-SIZE 52428800
                                                                      250-8BITMIME
                                                                      250-PIPELINING
                                                                      250-PIPE_CONNECT
                                                                      250-AUTH PLAIN LOGIN
                                                                      250-STARTTLS
                                                                      250 HELP
                                                                      Dec 2, 2021 18:23:25.942991018 CET49851587192.168.2.4103.248.80.5STARTTLS
                                                                      Dec 2, 2021 18:23:26.090584993 CET58749851103.248.80.5192.168.2.4220 TLS go ahead

                                                                      Code Manipulations

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: PO4567328901.exe PID: 7068 Parent PID: 900

                                                                      General

                                                                      Start time:18:21:26
                                                                      Start date:02/12/2021
                                                                      Path:C:\Users\user\Desktop\PO4567328901.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\PO4567328901.exe"
                                                                      Imagebase:0x100000
                                                                      File size:615936 bytes
                                                                      MD5 hash:0346606C84796F9A92803E29DAECAD72
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.703382608.00000000035F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.703382608.00000000035F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: PO4567328901.exe PID: 4180 Parent PID: 7068

                                                                      General

                                                                      Start time:18:21:36
                                                                      Start date:02/12/2021
                                                                      Path:C:\Users\user\Desktop\PO4567328901.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:{path}
                                                                      Imagebase:0x190000
                                                                      File size:615936 bytes
                                                                      MD5 hash:0346606C84796F9A92803E29DAECAD72
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: PO4567328901.exe PID: 6124 Parent PID: 7068

                                                                      General

                                                                      Start time:18:21:37
                                                                      Start date:02/12/2021
                                                                      Path:C:\Users\user\Desktop\PO4567328901.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:{path}
                                                                      Imagebase:0x100000
                                                                      File size:615936 bytes
                                                                      MD5 hash:0346606C84796F9A92803E29DAECAD72
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: PO4567328901.exe PID: 3184 Parent PID: 7068

                                                                      General

                                                                      Start time:18:21:39
                                                                      Start date:02/12/2021
                                                                      Path:C:\Users\user\Desktop\PO4567328901.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:{path}
                                                                      Imagebase:0x660000
                                                                      File size:615936 bytes
                                                                      MD5 hash:0346606C84796F9A92803E29DAECAD72
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.692121481.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.692121481.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.693283829.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.693283829.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.931868286.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.931868286.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.691722265.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.691722265.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.692643912.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.692643912.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.933223406.0000000002A71000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >

                                                                        Analysis Process: PO4567328901.exe PID: 7068 Parent PID: 900 PO4567328901.exeCOMMON

                                                                        Executed Functions

                                                                        Function 04B94908, Relevance: 5.4, Strings: 4, Instructions: 393COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.703989900.0000000004B90000.00000040.00000001.sdmp, Offset: 04B90000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0Fv$0Fv$0Fv$0Fv
                                                                        • API String ID: 0-4125888408
                                                                        • Opcode ID: e0a06843ecb11c8227b9f021992a9257f7cc16bbd62a67ddc7ba9aae0c69779b
                                                                        • Instruction ID: d18b85c9332abd07fb59c262da5afbb51ad102725ec9ec79642f4ea158081df5
                                                                        • Opcode Fuzzy Hash: e0a06843ecb11c8227b9f021992a9257f7cc16bbd62a67ddc7ba9aae0c69779b
                                                                        • Instruction Fuzzy Hash: A102E774E04219DFDB24CFA4D894B9DBBF2EB89300F1084AAD509AB364DB34AD85DF54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B948FA, Relevance: 5.4, Strings: 4, Instructions: 377COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.703989900.0000000004B90000.00000040.00000001.sdmp, Offset: 04B90000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0Fv$0Fv$0Fv$0Fv
                                                                        • API String ID: 0-4125888408
                                                                        • Opcode ID: 09fd41b98b1018c42a498d5a90e5537aad1290699b309d5c0dda0fa21fac899d
                                                                        • Instruction ID: b978ff66e2f3d5efc92c27215ae886820f905d59137a0ac93c41c114b8bf7032
                                                                        • Opcode Fuzzy Hash: 09fd41b98b1018c42a498d5a90e5537aad1290699b309d5c0dda0fa21fac899d
                                                                        • Instruction Fuzzy Hash: 3B02F574E04219DFDB24CFA4D984B9DBBF2EB89300F1084AAD509AB364DB34AD85DF54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008399A8, Relevance: .7, Instructions: 653COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fe998b61261d1ed253056fcae54932f7e912a52e347d40e3ac57886db5258474
                                                                        • Instruction ID: 2ee48e6e199f4d81795728759cb742bb957e0d5d2a5996598470883d3c156e38
                                                                        • Opcode Fuzzy Hash: fe998b61261d1ed253056fcae54932f7e912a52e347d40e3ac57886db5258474
                                                                        • Instruction Fuzzy Hash: 28526B31A00619CFCB15CF58C880AAEB7B6FF84314F5584A9E956EB261D7B1FD85CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00836660, Relevance: .1, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f9d183ec4a206799eee9d0bb6abd578a78f53b21e9bd99e4ddb990444d208718
                                                                        • Instruction ID: 46394489878cf7ed63d99a15a571a8d03b1d3fdde0ecd3570973fe5066c39ac8
                                                                        • Opcode Fuzzy Hash: f9d183ec4a206799eee9d0bb6abd578a78f53b21e9bd99e4ddb990444d208718
                                                                        • Instruction Fuzzy Hash: 4F314970E05209EFCB48CFA5D5455AEFBF2FBDA340F20D4A9C406E7264E6349A41DB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00836F20, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 00836F90
                                                                        • GetCurrentThread.KERNEL32 ref: 00836FCD
                                                                        • GetCurrentProcess.KERNEL32 ref: 0083700A
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00837063
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID:
                                                                        • API String ID: 2063062207-0
                                                                        • Opcode ID: 247ae6f961005749befe5da1a5d5e05522d17e0a6af1076a6490a95f2f4b3496
                                                                        • Instruction ID: 9978218207269aea6feaeea7769e635395523c347441ee32ad13f67ffa71b004
                                                                        • Opcode Fuzzy Hash: 247ae6f961005749befe5da1a5d5e05522d17e0a6af1076a6490a95f2f4b3496
                                                                        • Instruction Fuzzy Hash: F85144B49006499FDB14CFA9D948BDEBBF1FF88304F248459E019A7350DBB45848CF65
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00836F30, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 00836F90
                                                                        • GetCurrentThread.KERNEL32 ref: 00836FCD
                                                                        • GetCurrentProcess.KERNEL32 ref: 0083700A
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00837063
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID:
                                                                        • API String ID: 2063062207-0
                                                                        • Opcode ID: 4698628f9a25246d3289ead42fe1a6403fa0a4d31306a5cf0062f5613875e966
                                                                        • Instruction ID: b1e09e2d6f8bc702504d487dcafd40cbe195c7312fa04c6c8d1e4efe7661b6b1
                                                                        • Opcode Fuzzy Hash: 4698628f9a25246d3289ead42fe1a6403fa0a4d31306a5cf0062f5613875e966
                                                                        • Instruction Fuzzy Hash: 1E5154B49007499FDB54CFA9D548BDEBBF1FB88304F248459E019A7350DBB49844CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0083BF67, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 195COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0083C1AE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID: tnv$tnv
                                                                        • API String ID: 4139908857-4288101062
                                                                        • Opcode ID: b7af9cf792c6aaefe24d22c91671f66eee9ea4fbe8edbaf83d44a1141ee2be5a
                                                                        • Instruction ID: 0a5f1eb55215ac726b864dbcad53f15feb0e9cafdac8d6a6824fe22c4726b9de
                                                                        • Opcode Fuzzy Hash: b7af9cf792c6aaefe24d22c91671f66eee9ea4fbe8edbaf83d44a1141ee2be5a
                                                                        • Instruction Fuzzy Hash: 557122B0A00B058FD724DF69D45579ABBF1FF88304F008A2AE48AD7A50DB75E849CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B92D38, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 04B93EF1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.703989900.0000000004B90000.00000040.00000001.sdmp, Offset: 04B90000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: 08d2286c45312415b0dcd241fdcdac8037b9522e262fe8cd053c3170bf7e9b96
                                                                        • Instruction ID: 950f82b42154dd7f18bc9859e4209752864a09a686edcc851d451ff0668f85a8
                                                                        • Opcode Fuzzy Hash: 08d2286c45312415b0dcd241fdcdac8037b9522e262fe8cd053c3170bf7e9b96
                                                                        • Instruction Fuzzy Hash: 10414370C007598BCB14CFA9C884BDEBBF5FF49308F1488AAC449AB251D774694ACF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0083E00D, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0083E12A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: 3ec71440b78c865ca3ddc97c31c590a86f31e53fe6b438590a76ab4fd883091f
                                                                        • Instruction ID: 6a8614d31fab7efd1fa3aaabd64c09900f1ccde5555437ce7302e309239528b9
                                                                        • Opcode Fuzzy Hash: 3ec71440b78c865ca3ddc97c31c590a86f31e53fe6b438590a76ab4fd883091f
                                                                        • Instruction Fuzzy Hash: D551CFB5D003099FDF14CFA9D884ADEBBB5FF88314F24852AE819AB250D7749985CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0083E018, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0083E12A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: 2804e5a4433d87675436c424dc5656b1b53c19b7fb017b96e39643036f0d03d4
                                                                        • Instruction ID: 965d52903647f690c02fc7dca151aa987c7f3f30332049b7a03631cc851982f0
                                                                        • Opcode Fuzzy Hash: 2804e5a4433d87675436c424dc5656b1b53c19b7fb017b96e39643036f0d03d4
                                                                        • Instruction Fuzzy Hash: 5F41B0B5D00309DFDB14CF99C884ADEBBB5FF88314F24852AE419AB250D7B4A945CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B92D6C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 04B93EF1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.703989900.0000000004B90000.00000040.00000001.sdmp, Offset: 04B90000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: 63c3a6b80bdebf9ad6753326034e8c6f78beb5bfff7306b0cb6e00b44f6fb098
                                                                        • Instruction ID: 5c2fee99ad828a02299e8cd386857ab93232b0a1df50a7d02cb04045ce62fd9f
                                                                        • Opcode Fuzzy Hash: 63c3a6b80bdebf9ad6753326034e8c6f78beb5bfff7306b0cb6e00b44f6fb098
                                                                        • Instruction Fuzzy Hash: E241C071C0061DDBDB24CFA9C844BDEBBF5BF48304F248469D409AB250DBB16989CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04B90CD0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 04B90D91
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.703989900.0000000004B90000.00000040.00000001.sdmp, Offset: 04B90000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CallProcWindow
                                                                        • String ID:
                                                                        • API String ID: 2714655100-0
                                                                        • Opcode ID: 2d6ec0ae781f68df17cc0a13f6a4464aa5812f8e66c80d743710cea4718e753c
                                                                        • Instruction ID: 5a3c9e3ec014bd51ddd6dd511ad30339891186fd8485f5ccbbef6c72efa33ccc
                                                                        • Opcode Fuzzy Hash: 2d6ec0ae781f68df17cc0a13f6a4464aa5812f8e66c80d743710cea4718e753c
                                                                        • Instruction Fuzzy Hash: E0411AB4900209CFDB54DF99C488AAABBF5FF88314F28C499D519A7321D774A841CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00837150, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008371DF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: ba4ad4370b949120274b1b8213264fce23365831ea4ebd5a0b8e892ff77c8119
                                                                        • Instruction ID: 76ef58a9298aca6ebfec71e8aa11c82a0cb1e9511d8838ca20d6e320eef42126
                                                                        • Opcode Fuzzy Hash: ba4ad4370b949120274b1b8213264fce23365831ea4ebd5a0b8e892ff77c8119
                                                                        • Instruction Fuzzy Hash: 9821E3B5D002499FDB10CFA9D884ADEBBF4FB48324F14841AE915A7350D374A944DFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00837158, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008371DF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: d285e8bba36201bb1b31d08602a90d21fd2a25c6bde8044a786f93f8c8aca7c7
                                                                        • Instruction ID: 37f98d433f47dc44d73ec2511781f770e42483fa73ff0e9003ab7ac122c03c1f
                                                                        • Opcode Fuzzy Hash: d285e8bba36201bb1b31d08602a90d21fd2a25c6bde8044a786f93f8c8aca7c7
                                                                        • Instruction Fuzzy Hash: E821C2B59002499FDB10CFA9D884ADEBBF8FB48324F14841AE915A7350D378A944DFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0083C3C8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0083C229,00000800,00000000,00000000), ref: 0083C43A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: a919a7de0d6d8d091819c29235df6f493bdd88fe9c07e60b218df3c034f254af
                                                                        • Instruction ID: cdbb4b05f79561db3658f8c7612b736a69d998da4a43d148e5ac7242597eee52
                                                                        • Opcode Fuzzy Hash: a919a7de0d6d8d091819c29235df6f493bdd88fe9c07e60b218df3c034f254af
                                                                        • Instruction Fuzzy Hash: 7311E4B69003499FDB10CF9AD844ADEFBF5FB88324F14842AE515B7640C3B4A945CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0083B380, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0083C229,00000800,00000000,00000000), ref: 0083C43A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: b3034ed9cba9f05ac05bd762ad4d046f1c34dddda2489b2d61a70206a273b672
                                                                        • Instruction ID: f71146bfa4d0eaac39aa56a6a8f46d35decae7c13161466f7c125297d484ce55
                                                                        • Opcode Fuzzy Hash: b3034ed9cba9f05ac05bd762ad4d046f1c34dddda2489b2d61a70206a273b672
                                                                        • Instruction Fuzzy Hash: 8411D3B69002099FDB10CF9AD444BEEBBF4FB88314F14842AE515B7700C3B4A945CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 023902B8, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,?,?,?), ref: 0239031D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.699043059.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID:
                                                                        • API String ID: 410705778-0
                                                                        • Opcode ID: 8fcdec1d8fcbdbf2a80b79dfbbd5036d9684ef8f890c547cac7298321d10234a
                                                                        • Instruction ID: d8a23d3864e3252812013e14012ccb954d9a21490471066e34878f1ff8b8f268
                                                                        • Opcode Fuzzy Hash: 8fcdec1d8fcbdbf2a80b79dfbbd5036d9684ef8f890c547cac7298321d10234a
                                                                        • Instruction Fuzzy Hash: 7F1125B58002499FCB60CF99D884BEEBBF4EB49324F14841AD855A3600C375A945CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0083C148, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0083C1AE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: 46cfe03941e72a245a1c3fb3e20ca8ebbbcc06009fbdd09bb9fc7c5a870cda36
                                                                        • Instruction ID: dd6bd23c8008d3d8f67dc1889c2a461b749f78393baebf0fa6e314b306bd6fc7
                                                                        • Opcode Fuzzy Hash: 46cfe03941e72a245a1c3fb3e20ca8ebbbcc06009fbdd09bb9fc7c5a870cda36
                                                                        • Instruction Fuzzy Hash: B211D2B5C006498FDB10CF9AD844ADEFBF4EB88324F14841AD519B7600D374A545CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0083E259, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowLongW.USER32(?,?,?), ref: 0083E2BD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID: LongWindow
                                                                        • String ID:
                                                                        • API String ID: 1378638983-0
                                                                        • Opcode ID: 8ddb2c2bc157179a8c167b5bcd724e078501c36798bbfb2e8df00714ebd2775d
                                                                        • Instruction ID: eeebdc6c8093a8653275fe9661d2de448c4ca230a2e6294fc1a7182d7a514541
                                                                        • Opcode Fuzzy Hash: 8ddb2c2bc157179a8c167b5bcd724e078501c36798bbfb2e8df00714ebd2775d
                                                                        • Instruction Fuzzy Hash: 1E11F5B58002498FDB10CF99D485BDFBBF8EB88324F24841AD955B7740C3B4A945CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0083E260, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowLongW.USER32(?,?,?), ref: 0083E2BD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID: LongWindow
                                                                        • String ID:
                                                                        • API String ID: 1378638983-0
                                                                        • Opcode ID: 5d55b0c0da1ed117414d8cb9e942089a073f478d079267ed9836ada220200436
                                                                        • Instruction ID: d576852bfbfb249d6280b62b975419fb8419b6c2a6516c03bab4d00cf0301bee
                                                                        • Opcode Fuzzy Hash: 5d55b0c0da1ed117414d8cb9e942089a073f478d079267ed9836ada220200436
                                                                        • Instruction Fuzzy Hash: 0A11CEB58006499FDB10DF99D885BDFBBF8EB88324F14841AE959B7740C3B4A944CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 023902C0, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,?,?,?), ref: 0239031D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.699043059.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID:
                                                                        • API String ID: 410705778-0
                                                                        • Opcode ID: 44a1da61c686c7649457e09cd5b01738ee7542f03f555cbeec026bda157ce5c2
                                                                        • Instruction ID: 7347b64f8999b3a69cea3e4e0c79f331a11dde9c97887272d507fd53537cf118
                                                                        • Opcode Fuzzy Hash: 44a1da61c686c7649457e09cd5b01738ee7542f03f555cbeec026bda157ce5c2
                                                                        • Instruction Fuzzy Hash: C011E5B58003499FDB10DF99D885BDFBBF8FB48324F14841AD555A7600C374A944CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0075D4D8, Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698006025.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e3354d6a5aa1ad0c54a6e3d58d5a0d02c47a8d7a72b711606b47f7061bbd653b
                                                                        • Instruction ID: 25dbd74bcbe6535985565d7fd15b4e4aec0958db6bc1a0864a50b2594229a897
                                                                        • Opcode Fuzzy Hash: e3354d6a5aa1ad0c54a6e3d58d5a0d02c47a8d7a72b711606b47f7061bbd653b
                                                                        • Instruction Fuzzy Hash: F6212571500240DFDB35CF50D9C0BA6BBA5FB88329F248569EC054B246D37ADC6ADBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0076D01C, Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698039209.000000000076D000.00000040.00000001.sdmp, Offset: 0076D000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c3170b99ee8706f6321117474782566c64024a8c3786a2000163d0f01279209a
                                                                        • Instruction ID: 81abd2d9b94f1ca48fb1303cf781bc94dae9610043a4d0341dd1232a5373a198
                                                                        • Opcode Fuzzy Hash: c3170b99ee8706f6321117474782566c64024a8c3786a2000163d0f01279209a
                                                                        • Instruction Fuzzy Hash: B921F575A14240DFCB24CF50D5C4B66BB65FB88314F24C96DDC4A4B246C37ADC46CAA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0075D4D3, Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698006025.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9b4768df47c0c72382ddcae975d869f3692393f3f4822e6597009969694e5ed2
                                                                        • Instruction ID: d765f982a502220924fa568979c028315d201ed58da57aba4d5d80b2ba1076f8
                                                                        • Opcode Fuzzy Hash: 9b4768df47c0c72382ddcae975d869f3692393f3f4822e6597009969694e5ed2
                                                                        • Instruction Fuzzy Hash: CA110376404280CFCB22CF00D5C0B56BF72FB84324F2482A9DC090B216C33AD86ACBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0076D017, Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698039209.000000000076D000.00000040.00000001.sdmp, Offset: 0076D000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 02bebd1ad1059daef5823bcb3edbd0edeb81f2d3ae348f5388953b032c5b855e
                                                                        • Instruction ID: 540c022c38aeae6c715c310bc956a8dfafd18acf044b8e575347e5339d07c144
                                                                        • Opcode Fuzzy Hash: 02bebd1ad1059daef5823bcb3edbd0edeb81f2d3ae348f5388953b032c5b855e
                                                                        • Instruction Fuzzy Hash: 79119075A04280DFCB11CF14D5D4B16FB72FB88314F28C6A9DC4A4B656C33AD84ACBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0075D749, Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698006025.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f3428ccd0631aab163002d805667e72d8eeb264b102690cd43152eb5b0ce5cf4
                                                                        • Instruction ID: f333a5d3e0548682d1f9c86e66af826bcce680dee0971e6e7c820d2294af080b
                                                                        • Opcode Fuzzy Hash: f3428ccd0631aab163002d805667e72d8eeb264b102690cd43152eb5b0ce5cf4
                                                                        • Instruction Fuzzy Hash: AE01D461404340DAE7308A61CC84BE7FBDCEF45325F188D5AEC041A242D7BC9C48DAB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0075D748, Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698006025.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2e8931b0d3a38fb109dd2badb5d641ad061b0af7ecbef25ac1b77918d80dfe8d
                                                                        • Instruction ID: 5a9b11de01dec60f5d6464d9b08497d8766b273ea00f6b883eb01d241a09d4ec
                                                                        • Opcode Fuzzy Hash: 2e8931b0d3a38fb109dd2badb5d641ad061b0af7ecbef25ac1b77918d80dfe8d
                                                                        • Instruction Fuzzy Hash: F2F068754047449EE7208A15DCC47A3FFE8EB55734F18C45AED485B346C3B95C48CAB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 02391B60, Relevance: .6, Instructions: 578COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.699043059.0000000002390000.00000040.00000001.sdmp, Offset: 02390000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f4005c01561239a048a2d99189d58c1eec7047791e63906c215a6d0e0cec5546
                                                                        • Instruction ID: 83d723dee9af8f934e955414554d06a7a32dbe679c90f7d1ff5e96b767cc5a53
                                                                        • Opcode Fuzzy Hash: f4005c01561239a048a2d99189d58c1eec7047791e63906c215a6d0e0cec5546
                                                                        • Instruction Fuzzy Hash: 25D1BC31B007059FDB25DB79C4507ABB7FAAF8A700F1484A9D48ADB391DB35D902CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0083C650, Relevance: .5, Instructions: 529COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a733fca526708a6791ddaafa0426e8e001ec88409e024330e0ba21e7087113c4
                                                                        • Instruction ID: 1948a47baa4c57c7f99096596c6bf52f0dbb1a88643e83b8a7436ac7cbe06eac
                                                                        • Opcode Fuzzy Hash: a733fca526708a6791ddaafa0426e8e001ec88409e024330e0ba21e7087113c4
                                                                        • Instruction Fuzzy Hash: BA5213B1500F068BD714CF19EC887BD7BA1FB41328F914318D761AB6A0D3B465AADF86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00839850, Relevance: .3, Instructions: 265COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.698162898.0000000000830000.00000040.00000001.sdmp, Offset: 00830000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cebca87a4036e870d9d6da5ec68563d65b8b2a76004bc26f1736a0576395f708
                                                                        • Instruction ID: b8e615c04b7ac21760055cfa28a1165f098f52d71ba6722f4fd851e4c6cf736b
                                                                        • Opcode Fuzzy Hash: cebca87a4036e870d9d6da5ec68563d65b8b2a76004bc26f1736a0576395f708
                                                                        • Instruction Fuzzy Hash: B2A14E72E006198FCF05DFA5C8445EEBBB6FFC5300F15856AEA05EB221EB31A945CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Analysis Process: PO4567328901.exe PID: 3184 Parent PID: 7068 PO4567328901.exeCOMMON

                                                                        Executed Functions

                                                                        Function 0102691F, Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 010269A0
                                                                        • GetCurrentThread.KERNEL32 ref: 010269DD
                                                                        • GetCurrentProcess.KERNEL32 ref: 01026A1A
                                                                        • GetCurrentThreadId.KERNEL32 ref: 01026A73
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932783362.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID:
                                                                        • API String ID: 2063062207-0
                                                                        • Opcode ID: 9b91483a85687cf2b88283e69cd82ac6bbcba50798b18acfcaf7c74b3944e6d7
                                                                        • Instruction ID: fdcd8acd7042e3dd4902e0084ae7ee2849ae38b0247f7975a101694f11f42009
                                                                        • Opcode Fuzzy Hash: 9b91483a85687cf2b88283e69cd82ac6bbcba50798b18acfcaf7c74b3944e6d7
                                                                        • Instruction Fuzzy Hash: 0F5187B4A047888FDB40CFA9D588BEEBFF4EF49304F24849AE448A7291C7755884CF61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01026940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 010269A0
                                                                        • GetCurrentThread.KERNEL32 ref: 010269DD
                                                                        • GetCurrentProcess.KERNEL32 ref: 01026A1A
                                                                        • GetCurrentThreadId.KERNEL32 ref: 01026A73
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932783362.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID:
                                                                        • API String ID: 2063062207-0
                                                                        • Opcode ID: b79ce6d351da55cbff15e8171414adff2f3dd9fd2ba2b93df213e4434730ff9a
                                                                        • Instruction ID: 08d8d946877143e1c1d5cb37a4fc3e190a3fa2edd02b9e9f582c928c7ae1f644
                                                                        • Opcode Fuzzy Hash: b79ce6d351da55cbff15e8171414adff2f3dd9fd2ba2b93df213e4434730ff9a
                                                                        • Instruction Fuzzy Hash: 785164B4A007488FDB44CFAAC588BEEBBF5AF88304F208499E449A3350CB755884CF65
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00E7DFE8, Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932598554.0000000000E70000.00000040.00000010.sdmp, Offset: 00E70000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 27553698bdba0bd6d25658958a3b8a17f6943ce905f2d5f9254f1d116ef3bc17
                                                                        • Instruction ID: 3c23a8970720f94b1d351e5d546236fe7ce5838a7c372f23caff963eb956b111
                                                                        • Opcode Fuzzy Hash: 27553698bdba0bd6d25658958a3b8a17f6943ce905f2d5f9254f1d116ef3bc17
                                                                        • Instruction Fuzzy Hash: EA411472E043958FCB00CBB9D8146EEBBF5EF89310F1985AAD408A7351DB749845CBE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01025084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010251A2
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932783362.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: 1fd98d3eb0ad8c9d233b0e0aded313c042f3b512d7e2e5a9062c0bd435043fed
                                                                        • Instruction ID: bdedcfe0758f6097304d232355f2bb53167f2af2c57f5c4b3b24b90bbcdd6879
                                                                        • Opcode Fuzzy Hash: 1fd98d3eb0ad8c9d233b0e0aded313c042f3b512d7e2e5a9062c0bd435043fed
                                                                        • Instruction Fuzzy Hash: 8451C0B1D103599FDF14CFA9C884ADEBFB5BF48314F24812AE819AB250D7749985CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01025090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010251A2
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932783362.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: 9d1404a5553f3a0f6d46cee5372ebc1c7bf00076947bc9b9b875bae98837cfea
                                                                        • Instruction ID: aa36bbd359493469b9925ed5aad05f5e63fd14c91652cbdc9467e19a4a051904
                                                                        • Opcode Fuzzy Hash: 9d1404a5553f3a0f6d46cee5372ebc1c7bf00076947bc9b9b875bae98837cfea
                                                                        • Instruction Fuzzy Hash: B841CFB1D103599FDF14CF99C884ADEBBB5BF48314F24822AE819AB250D7749985CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0102779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 01027F01
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932783362.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CallProcWindow
                                                                        • String ID:
                                                                        • API String ID: 2714655100-0
                                                                        • Opcode ID: 5296ceb9403b59203171ecb7cbb6b7914287acddc8995d84bbc3ebac498643e8
                                                                        • Instruction ID: a026109d5f65fe5202db138b45ad638e66b356099146e9aa894ed92b5cd8976e
                                                                        • Opcode Fuzzy Hash: 5296ceb9403b59203171ecb7cbb6b7914287acddc8995d84bbc3ebac498643e8
                                                                        • Instruction Fuzzy Hash: 79416AB9A00315CFDB54CF99C488AABBBF5FB98314F148499E509AB321C774A841CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01026B63, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01026BEF
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932783362.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 37d2519b6537e0a565d24d2da9dc3eccc5828ad3ed062254046c4daf246dd2f1
                                                                        • Instruction ID: b067e07bfd02e86624f1d41ca92da53178f6bd8fc7ee743cd78344edfaf39a80
                                                                        • Opcode Fuzzy Hash: 37d2519b6537e0a565d24d2da9dc3eccc5828ad3ed062254046c4daf246dd2f1
                                                                        • Instruction Fuzzy Hash: 7D21E4B59002599FDB10CFA9D984AEEBFF4FB48324F14845AE954A7310D374A954CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01026B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01026BEF
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932783362.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: e6f3dd4529f93c4741e8c22d6dbb652cb1d73f56fba197d3aa5c0c36e31ec5ea
                                                                        • Instruction ID: 9c067d1a465ff2b4d396065cd366adaa7ca4bcb1ec823d15992b6c55e2ece1f3
                                                                        • Opcode Fuzzy Hash: e6f3dd4529f93c4741e8c22d6dbb652cb1d73f56fba197d3aa5c0c36e31ec5ea
                                                                        • Instruction Fuzzy Hash: A121F5B5D002589FDB10CF99D984ADEBBF8FB48324F14841AE914A3310D374A944CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00E7CB54, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,00E7E03A), ref: 00E7E127
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932598554.0000000000E70000.00000040.00000010.sdmp, Offset: 00E70000, based on PE: false
                                                                        Similarity
                                                                        • API ID: GlobalMemoryStatus
                                                                        • String ID:
                                                                        • API String ID: 1890195054-0
                                                                        • Opcode ID: 5ef2a06964a3b1d2f034a0409eb24f2ac7b41d52ff56f7af851d4dcb4df53025
                                                                        • Instruction ID: 1a48d3874a29bec8126124a4a5e6ccc579461ec0ffeceb467dcec24ac321d2a0
                                                                        • Opcode Fuzzy Hash: 5ef2a06964a3b1d2f034a0409eb24f2ac7b41d52ff56f7af851d4dcb4df53025
                                                                        • Instruction Fuzzy Hash: 3911F2B1C006599BCB10CF9AD845BEEFBB8AB48324F14856AE418B7640D378A944CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05BD6778, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,?,05BD7999,00000800), ref: 05BD7A2A
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.935937185.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 32055f96841af006bfae568ebc10a6bc5b9595d7e975d8e90be6da6a2abf7ff4
                                                                        • Instruction ID: bb9e570cf855818318a1a9862bf685f3208e678e797e1b035cc081f7aeabbc66
                                                                        • Opcode Fuzzy Hash: 32055f96841af006bfae568ebc10a6bc5b9595d7e975d8e90be6da6a2abf7ff4
                                                                        • Instruction Fuzzy Hash: 0F1114B69002499FCB10CF9AC844BDEFBF4EB48324F14846AE519A7600D778AA45CFA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0102C198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlEncodePointer.NTDLL(00000000), ref: 0102C212
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932783362.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false
                                                                        Similarity
                                                                        • API ID: EncodePointer
                                                                        • String ID:
                                                                        • API String ID: 2118026453-0
                                                                        • Opcode ID: 0106c5a12dbde85a6b2d85d1bb470ddd55abcb00bbdb939d1d4ab7f526c385f5
                                                                        • Instruction ID: 300fec13f2a57531435d98da3210b73f72caa03b8bc0a69660885166f3a7dc8d
                                                                        • Opcode Fuzzy Hash: 0106c5a12dbde85a6b2d85d1bb470ddd55abcb00bbdb939d1d4ab7f526c385f5
                                                                        • Instruction Fuzzy Hash: 9E11AF719003148FDB50CFA9D94879EBBF4FB49314F24842AD809E3600DB78A545CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01023300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 01024116
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932783362.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: 84d4c5f5ccc4a44509ddb9a08e46f8005eaef3ff55c49f5ccd262f81994ba4da
                                                                        • Instruction ID: 3671cdfe316e5bc3eb4be9931faa3f6b78a5d2cc366d66b19b4fd6919985dc81
                                                                        • Opcode Fuzzy Hash: 84d4c5f5ccc4a44509ddb9a08e46f8005eaef3ff55c49f5ccd262f81994ba4da
                                                                        • Instruction Fuzzy Hash: 171146B5D007598FDB10CF9AC444BDEFBF4EB48224F14842AD969B7600D378A545CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010240AB, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 01024116
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932783362.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: 13820ec87224c8d6d11ec529c6280a07547cff8c153086ed20b8678a1abc3c48
                                                                        • Instruction ID: a93c2fea05d7cd60b41d4fa029c242abe33cbf0decf1644ea9a3d23ada54b91a
                                                                        • Opcode Fuzzy Hash: 13820ec87224c8d6d11ec529c6280a07547cff8c153086ed20b8678a1abc3c48
                                                                        • Instruction Fuzzy Hash: 911132B6C002598FDB10CF9AC884ADEFBF4EB89224F14846AD569B7600D378A545CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05BDA568, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleInitialize.OLE32(00000000), ref: 05BDB4D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.935937185.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Initialize
                                                                        • String ID:
                                                                        • API String ID: 2538663250-0
                                                                        • Opcode ID: 73d3f9e973e0e82fb1d0102aefe9875876effabd2e9b96cc3b1090dcba4148ed
                                                                        • Instruction ID: 5204c00bcd6f28521f16f5060803cf266e44c3436261f9a315c2afee8f04d6e0
                                                                        • Opcode Fuzzy Hash: 73d3f9e973e0e82fb1d0102aefe9875876effabd2e9b96cc3b1090dcba4148ed
                                                                        • Instruction Fuzzy Hash: 121103B59006498FCB10DF99D484BEEFBF8EB48324F148459D519A7700D374A944CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05BDB478, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleInitialize.OLE32(00000000), ref: 05BDB4D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.935937185.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Initialize
                                                                        • String ID:
                                                                        • API String ID: 2538663250-0
                                                                        • Opcode ID: fcf67f6ae62cf335981c8f6789ddea4479e5f0ccefc4a569a0f42320d1f98bef
                                                                        • Instruction ID: d8b3fbe48e5af09d43d25f5063e5d220ad94e40859ebe6d7c2f24ff7a0c7aa38
                                                                        • Opcode Fuzzy Hash: fcf67f6ae62cf335981c8f6789ddea4479e5f0ccefc4a569a0f42320d1f98bef
                                                                        • Instruction Fuzzy Hash: AA1115B59006498FCB20CF99D484BDEFBF4FB48324F248459D559A7700D378A944CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00C4D450, Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932437305.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9c24cacf6186e4bef84951bbe1b2a1eb0666436d9156a2be9f50745e17edf62a
                                                                        • Instruction ID: 23007e663d2b7427614c8632c5b3d05f1b921bd3021598e962c208860313ca81
                                                                        • Opcode Fuzzy Hash: 9c24cacf6186e4bef84951bbe1b2a1eb0666436d9156a2be9f50745e17edf62a
                                                                        • Instruction Fuzzy Hash: 102103B1504240DFDB11EF10D8C0F67BB65FB88328F248569E8070B246C736E959DBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00C4D53C, Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932437305.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d118e037f6ddb7cda2b0e4c79374182a6531125f75bb84d8b0c1518cfc16b6bf
                                                                        • Instruction ID: 1d660b83985f99d8cd91496968c590bcf0e481864d16032912bd9e7784650e6a
                                                                        • Opcode Fuzzy Hash: d118e037f6ddb7cda2b0e4c79374182a6531125f75bb84d8b0c1518cfc16b6bf
                                                                        • Instruction Fuzzy Hash: 692125B1504240DFCB01EF50D8C0F66BF66FB94328F24896DE80A4B246C736D956DBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00C5D01C, Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932472168.0000000000C5D000.00000040.00000001.sdmp, Offset: 00C5D000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d9fac0ec010ea3b7ca8c684fe01031679befa08cc9a05bdfc5beaa384fef3b34
                                                                        • Instruction ID: 8e1bd3dac06a15ddeca5bf57634dd9310012b7f016ff42a8c9346f0162cbaf71
                                                                        • Opcode Fuzzy Hash: d9fac0ec010ea3b7ca8c684fe01031679befa08cc9a05bdfc5beaa384fef3b34
                                                                        • Instruction Fuzzy Hash: AF21D379504340DFDB24DF10D5C4B16BB65EB84315F24C969DC4A4B286C33AD88ACAA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00C5D005, Relevance: .1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932472168.0000000000C5D000.00000040.00000001.sdmp, Offset: 00C5D000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fa0bee978b732abd4ed69eac08d721182945aee5dace22d2f7e609181c2661c1
                                                                        • Instruction ID: c7a6331af076916ad863357b0f62dbf2d92a88effafe7393ddbf32823f71bb05
                                                                        • Opcode Fuzzy Hash: fa0bee978b732abd4ed69eac08d721182945aee5dace22d2f7e609181c2661c1
                                                                        • Instruction Fuzzy Hash: AE2192755093C08FCB12CF20D990715BF71EB86314F28C5EAD8498F6A7C33A984ACB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00C4D44B, Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932437305.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9b4768df47c0c72382ddcae975d869f3692393f3f4822e6597009969694e5ed2
                                                                        • Instruction ID: 54ff39f0dc42bfa265aad82d01f9e1415660f730c752fe5d9b762ae84e02f45b
                                                                        • Opcode Fuzzy Hash: 9b4768df47c0c72382ddcae975d869f3692393f3f4822e6597009969694e5ed2
                                                                        • Instruction Fuzzy Hash: DF11D3B6504280CFCF12DF10D5C4B16BF72FB84324F24C6A9D8064B656C33AD95ACBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00C4D537, Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.932437305.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9b4768df47c0c72382ddcae975d869f3692393f3f4822e6597009969694e5ed2
                                                                        • Instruction ID: 791be18cd9bd7c98bfe7f67bf23de2220fbf231e6f046718fc39e7f489d5a7c6
                                                                        • Opcode Fuzzy Hash: 9b4768df47c0c72382ddcae975d869f3692393f3f4822e6597009969694e5ed2
                                                                        • Instruction Fuzzy Hash: 3311D3B6504280CFCB02DF10D5C4B56BF72FB94324F24C6A9D8094B656C33AD95ACBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions