Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO# 6100003560, items 00090 and 00100.exe

Overview

General Information

Sample Name:PO# 6100003560, items 00090 and 00100.exe
Analysis ID:553253
MD5:6181e56a727d1a622764b93f44847b55
SHA1:35d223985c50bce16e09c4465627dfadff775ced
SHA256:9c252952a81c86f0d5b5206b35d84a446dd85322f64bafc1b082337ba738f291
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "humhum@nutiribio.com", "Password": "zGNVO(l5", "Host": "smtp.nutiribio.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 18 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "humhum@nutiribio.com", "Password": "zGNVO(l5", "Host": "smtp.nutiribio.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PO# 6100003560, items 00090 and 00100.exeVirustotal: Detection: 43%Perma Link
                      Source: PO# 6100003560, items 00090 and 00100.exeReversingLabs: Detection: 27%
                      Machine Learning detection for sampleShow sources
                      Source: PO# 6100003560, items 00090 and 00100.exeJoe Sandbox ML: detected
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.PO# 6100003560, items 00090 and 00100.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: ConstructorReturnMessa.pdb source: PO# 6100003560, items 00090 and 00100.exe
                      Source: Binary string: ConstructorReturnMessa.pdbH source: PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://MBStZn.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.commito
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: PO# 6100003560, items 00090 and 00100.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bA23A83EAu002dA498u002d4AEFu002dBB16u002dCCD2EDE07471u007d/A33BCC3Du002d23D1u002d407Du002d9507u002d8DF915F9F7E3.csLarge array initialization: .cctor: array initializer size 11775
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_003C6AB90_2_003C6AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B6C9940_2_00B6C994
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B6EDD80_2_00B6EDD8
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B6EDC90_2_00B6EDC9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 4_2_002E6AB94_2_002E6AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 6_2_00226AB96_2_00226AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 7_2_000A6AB97_2_000A6AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00B16AB98_2_00B16AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD18788_2_00FD1878
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD79488_2_00FD7948
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FDBFA88_2_00FDBFA8
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD88188_2_00FD8818
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD876A8_2_00FD876A
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD07388_2_00FD0738
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_014D46A08_2_014D46A0
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_014D45D08_2_014D45D0
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702898417.0000000006E00000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696087469.00000000003C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000004.00000000.684019444.00000000002E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000006.00000000.687471583.0000000000222000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000007.00000000.689037100.00000000000A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000000.691670315.0000000000B12000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.931375320.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.931555930.0000000000F38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: PO# 6100003560, items 00090 and 00100.exeVirustotal: Detection: 43%
                      Source: PO# 6100003560, items 00090 and 00100.exeReversingLabs: Detection: 27%
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe "C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe"
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO# 6100003560, items 00090 and 00100.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/1@0/0
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: ConstructorReturnMessa.pdb source: PO# 6100003560, items 00090 and 00100.exe
                      Source: Binary string: ConstructorReturnMessa.pdbH source: PO# 6100003560, items 00090 and 00100.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: PO# 6100003560, items 00090 and 00100.exe, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3c0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.PO# 6100003560, items 00090 and 00100.exe.3c0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.2.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.2.PO# 6100003560, items 00090 and 00100.exe.2e0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.1.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.3.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.2.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.1.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.2.PO# 6100003560, items 00090 and 00100.exe.220000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.3.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.3.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.2.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.1.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.PO# 6100003560, items 00090 and 00100.exe.a0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 8.2.PO# 6100003560, items 00090 and 00100.exe.b10000.1.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: PO# 6100003560, items 00090 and 00100.exe, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3c0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.0.PO# 6100003560, items 00090 and 00100.exe.3c0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.2.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.2.PO# 6100003560, items 00090 and 00100.exe.2e0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.1.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.3.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.2.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.1.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.2.PO# 6100003560, items 00090 and 00100.exe.220000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.3.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.3.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.2.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.1.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.2.PO# 6100003560, items 00090 and 00100.exe.a0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 8.2.PO# 6100003560, items 00090 and 00100.exe.b10000.1.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B6D0F8 push 3C04C2C3h; ret 0_2_00B6D0FD
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B69288 pushfd ; retn 0004h0_2_00B694DA
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B63E41 push edx; retn 0004h0_2_00B63E42
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_0136D95C push eax; ret 8_2_0136D95D
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_0136E332 push eax; ret 8_2_0136E349
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.23335914978
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.272f86c.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.2776894.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.2737878.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO# 6100003560, items 00090 and 00100.exe PID: 7120, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 7124Thread sleep time: -38628s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 7156Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 5564Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 3080Thread sleep count: 2971 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 3080Thread sleep count: 6893 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWindow / User API: threadDelayed 2971Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWindow / User API: threadDelayed 6893Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 38628Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FDCF70 LdrInitializeThunk,8_2_00FDCF70
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeMemory written: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932334947.0000000001880000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932334947.0000000001880000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932334947.0000000001880000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932334947.0000000001880000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.PO# 6100003560, items 00090 and 00100.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3763cf8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3763cf8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.694460760.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.693491204.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.931334494.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.932648728.0000000002FE2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO# 6100003560, items 00090 and 00100.exe PID: 7120, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: PO# 6100003560, items 00090 and 00100.exe PID: 3112, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO# 6100003560, items 00090 and 00100.exe PID: 3112, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.PO# 6100003560, items 00090 and 00100.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3763cf8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3763cf8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.694460760.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.693491204.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.931334494.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.932648728.0000000002FE2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO# 6100003560, items 00090 and 00100.exe PID: 7120, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: PO# 6100003560, items 00090 and 00100.exe PID: 3112, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping1Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Local System1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery114SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing23DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PO# 6100003560, items 00090 and 00100.exe43%VirustotalBrowse
                      PO# 6100003560, items 00090 and 00100.exe28%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      PO# 6100003560, items 00090 and 00100.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      8.2.PO# 6100003560, items 00090 and 00100.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.PO# 6100003560, items 00090 and 00100.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.PO# 6100003560, items 00090 and 00100.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.PO# 6100003560, items 00090 and 00100.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.fontbureau.commito0%Avira URL Cloudsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://MBStZn.com0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                            		high
                            http://DynDns.comDynDNSPO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThePO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.tiro.comPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.commitoPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comaPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cThePO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.htmlPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://MBStZn.comPO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleasePO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                        		high
                                        https://api.ipify.org%GETMozilla/5.0PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        http://www.fonts.comPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleasePO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          Contacted IPs

                                          No contacted IP infos

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:553253
                                          Start date:14.01.2022
                                          Start time:15:06:23
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 11m 11s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:PO# 6100003560, items 00090 and 00100.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:19
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@9/1@0/0
                                          EGA Information:
                                          • Successful, ratio: 40%
                                          HDC Information:
                                          • Successful, ratio: 0.3% (good quality ratio 0.1%)
                                          • Quality average: 18.4%
                                          • Quality standard deviation: 31%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 53
                                          • Number of non-executed functions: 4
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                          • Execution Graph export aborted for target PO# 6100003560, items 00090 and 00100.exe, PID 1000 because there are no executed function
                                          • Execution Graph export aborted for target PO# 6100003560, items 00090 and 00100.exe, PID 1444 because there are no executed function
                                          • Execution Graph export aborted for target PO# 6100003560, items 00090 and 00100.exe, PID 4780 because there are no executed function
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          15:07:27API Interceptor736x Sleep call for process: PO# 6100003560, items 00090 and 00100.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASN

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO# 6100003560, items 00090 and 00100.exe.log
                                          Process:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1310
                                          Entropy (8bit):5.345651901398759
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                          MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                          SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                          SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                          SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                          Malicious:true
                                          Reputation:moderate, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.219699789114028
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:PO# 6100003560, items 00090 and 00100.exe
                                          File size:590336
                                          MD5:6181e56a727d1a622764b93f44847b55
                                          SHA1:35d223985c50bce16e09c4465627dfadff775ced
                                          SHA256:9c252952a81c86f0d5b5206b35d84a446dd85322f64bafc1b082337ba738f291
                                          SHA512:982fad5e912da6016ad49ea29c5d05362bafa1d6bd9024c86ccac30a1b49e01b667666f5eccb4b7c3a4b7f2aafe03439f582c1ddc552454392f013166c14b009
                                          SSDEEP:12288:pPIK777777777777N7FPlJOS4ww6Ug2gws8+Ww/JiR:pPIK777777777777lFjOSfV2P+Ww/8R
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>7.a............................n.... ... ....@.. .......................`............@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x49146e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x61E1373E [Fri Jan 14 08:41:34 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x914200x4b.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x604.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x913c20x1c.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x8f4740x8f600False0.755004563535data7.23335914978IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x920000x6040x800False0.33447265625data3.41525161764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x940000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0x920a00x376data
                                          RT_MANIFEST0x924180x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyright2022 Tradewell
                                          Assembly Version22.0.0.0
                                          InternalNameConstructorReturnMessa.exe
                                          FileVersion1.1.0.0
                                          CompanyNameTradewell ltd
                                          LegalTrademarks
                                          CommentsPurple Org
                                          ProductNameBlaster
                                          ProductVersion1.1.0.0
                                          FileDescriptionBlaster
                                          OriginalFilenameConstructorReturnMessa.exe

                                          Network Behavior

                                          No network behavior found

                                          Code Manipulations

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: PO# 6100003560, items 00090 and 00100.exe PID: 7120 Parent PID: 1496

                                          General

                                          Start time:15:07:19
                                          Start date:14/01/2022
                                          Path:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe"
                                          Imagebase:0x3c0000
                                          File size:590336 bytes
                                          MD5 hash:6181E56A727D1A622764B93F44847B55
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: PO# 6100003560, items 00090 and 00100.exe PID: 1444 Parent PID: 7120

                                          General

                                          Start time:15:07:28
                                          Start date:14/01/2022
                                          Path:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Imagebase:0x2e0000
                                          File size:590336 bytes
                                          MD5 hash:6181E56A727D1A622764B93F44847B55
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: PO# 6100003560, items 00090 and 00100.exe PID: 4780 Parent PID: 7120

                                          General

                                          Start time:15:07:29
                                          Start date:14/01/2022
                                          Path:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Imagebase:0x220000
                                          File size:590336 bytes
                                          MD5 hash:6181E56A727D1A622764B93F44847B55
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: PO# 6100003560, items 00090 and 00100.exe PID: 1000 Parent PID: 7120

                                          General

                                          Start time:15:07:30
                                          Start date:14/01/2022
                                          Path:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Imagebase:0xa0000
                                          File size:590336 bytes
                                          MD5 hash:6181E56A727D1A622764B93F44847B55
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: PO# 6100003560, items 00090 and 00100.exe PID: 3112 Parent PID: 7120

                                          General

                                          Start time:15:07:31
                                          Start date:14/01/2022
                                          Path:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Imagebase:0xb10000
                                          File size:590336 bytes
                                          MD5 hash:6181E56A727D1A622764B93F44847B55
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.932648728.0000000002FE2000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.694460760.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.694460760.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.693491204.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.693491204.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.931334494.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.931334494.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Chronological Activities

                                          Disassembly

                                          Code Analysis

                                          Reset < >

                                            Analysis Process: PO# 6100003560, items 00090 and 00100.exe PID: 7120 Parent PID: 1496 PO# 6100003560, items 00090 and 00100.exeCOMMON

                                            Execution Graph

                                            Execution Coverage:12.2%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:181
                                            Total number of Limit Nodes:14

                                            Graph

                                            execution_graph 17228 b6bef0 17229 b6bf56 17228->17229 17233 b6c0a9 17229->17233 17236 b6c0b0 17229->17236 17230 b6c005 17234 b6c0de 17233->17234 17239 b69e90 17233->17239 17234->17230 17237 b69e90 DuplicateHandle 17236->17237 17238 b6c0de 17237->17238 17238->17230 17240 b6c118 DuplicateHandle 17239->17240 17241 b6c1ae 17240->17241 17241->17234 17244 4d693c0 17253 b67383 17244->17253 17257 b66cf0 17244->17257 17261 b67413 17244->17261 17245 4d6945b 17266 4d65e98 17245->17266 17248 4d65e98 5 API calls 17249 4d69490 17248->17249 17254 b673a9 17253->17254 17270 b66d20 17254->17270 17256 b673e2 17256->17245 17258 b66cfb 17257->17258 17259 b66d20 5 API calls 17258->17259 17260 b673e2 17259->17260 17260->17245 17262 b673dd 17261->17262 17263 b6741b 17261->17263 17264 b66d20 5 API calls 17262->17264 17265 b673e2 17264->17265 17265->17245 17267 4d65ea3 17266->17267 17392 4d65eb8 17267->17392 17269 4d69470 17269->17248 17271 b66d2b 17270->17271 17274 b66d50 17271->17274 17273 b674e2 17273->17256 17275 b66d5b 17274->17275 17277 b67bfe 17275->17277 17281 4d69c40 17275->17281 17276 b67c3c 17276->17273 17277->17276 17285 b6bb20 17277->17285 17290 b6bb1f 17277->17290 17295 b699f0 17281->17295 17299 b699eb 17281->17299 17282 4d69c4d 17282->17277 17286 b6bb41 17285->17286 17287 b6bb65 17286->17287 17331 b6bdd7 17286->17331 17335 b6bdd8 17286->17335 17287->17276 17291 b6bb41 17290->17291 17292 b6bb65 17291->17292 17293 b6bdd7 5 API calls 17291->17293 17294 b6bdd8 5 API calls 17291->17294 17292->17276 17293->17292 17294->17292 17303 b69ef0 17295->17303 17311 b69eeb 17295->17311 17296 b699ff 17296->17282 17300 b699ff 17299->17300 17301 b69ef0 2 API calls 17299->17301 17302 b69eeb 2 API calls 17299->17302 17300->17282 17301->17300 17302->17300 17304 b69f03 17303->17304 17305 b69f1b 17304->17305 17319 b6a177 17304->17319 17323 b6a178 17304->17323 17305->17296 17306 b69f13 17306->17305 17307 b6a118 GetModuleHandleW 17306->17307 17308 b6a145 17307->17308 17308->17296 17312 b69f03 17311->17312 17313 b69f1b 17312->17313 17317 b6a177 LoadLibraryExW 17312->17317 17318 b6a178 LoadLibraryExW 17312->17318 17313->17296 17314 b69f13 17314->17313 17315 b6a118 GetModuleHandleW 17314->17315 17316 b6a145 17315->17316 17316->17296 17317->17314 17318->17314 17320 b6a18c 17319->17320 17321 b6a1b1 17320->17321 17327 b69b08 17320->17327 17321->17306 17324 b6a18c 17323->17324 17325 b6a1b1 17324->17325 17326 b69b08 LoadLibraryExW 17324->17326 17325->17306 17326->17325 17329 b6a358 LoadLibraryExW 17327->17329 17330 b6a3d1 17329->17330 17330->17321 17333 b6bde5 17331->17333 17332 b6be1f 17332->17287 17333->17332 17339 b69e08 17333->17339 17337 b6bde5 17335->17337 17336 b6be1f 17336->17287 17337->17336 17338 b69e08 5 API calls 17337->17338 17338->17336 17340 b69e13 17339->17340 17342 b6cb18 17340->17342 17343 b6c6d8 17340->17343 17342->17342 17344 b6c6e3 17343->17344 17345 b66d50 5 API calls 17344->17345 17346 b6cb87 17345->17346 17350 b6e90f 17346->17350 17359 b6e910 17346->17359 17347 b6cbc0 17347->17342 17352 b6e941 17350->17352 17353 b6ea32 17350->17353 17351 b6e94d 17351->17347 17352->17351 17368 b6ed90 17352->17368 17371 b6ed89 17352->17371 17353->17347 17354 b6e98d 17374 b6f757 17354->17374 17379 b6f758 17354->17379 17361 b6e941 17359->17361 17363 b6ea32 17359->17363 17360 b6e94d 17360->17347 17361->17360 17364 b6ed90 2 API calls 17361->17364 17365 b6ed89 2 API calls 17361->17365 17362 b6e98d 17366 b6f757 2 API calls 17362->17366 17367 b6f758 2 API calls 17362->17367 17363->17347 17364->17362 17365->17362 17366->17363 17367->17363 17369 b69ef0 2 API calls 17368->17369 17370 b6ed99 17369->17370 17370->17354 17372 b69ef0 2 API calls 17371->17372 17373 b6ed99 17371->17373 17372->17373 17373->17354 17375 b6f782 17374->17375 17376 b6f829 17375->17376 17384 4d60780 17375->17384 17388 4d6077f 17375->17388 17380 b6f782 17379->17380 17381 b6f829 17380->17381 17382 4d60780 2 API calls 17380->17382 17383 4d6077f 2 API calls 17380->17383 17382->17381 17383->17381 17386 4d607d0 CreateWindowExW 17384->17386 17387 4d607cf CreateWindowExW 17384->17387 17385 4d607b5 17385->17376 17386->17385 17387->17385 17389 4d607b5 17388->17389 17390 4d607d0 CreateWindowExW 17388->17390 17391 4d607cf CreateWindowExW 17388->17391 17389->17376 17390->17389 17391->17389 17393 4d65ec3 17392->17393 17395 b66d20 5 API calls 17393->17395 17398 b67438 17393->17398 17403 b67510 17393->17403 17394 4d695bd 17394->17269 17395->17394 17399 b673fd 17398->17399 17400 b6743b 17398->17400 17399->17394 17401 b66d50 5 API calls 17400->17401 17402 b674e2 17401->17402 17402->17394 17404 b674d5 17403->17404 17405 b67513 17403->17405 17406 b66d50 5 API calls 17404->17406 17407 b674e2 17404->17407 17406->17407 17407->17394 17430 b63e50 17432 b63e6a 17430->17432 17431 b63ef8 17432->17431 17435 b63fef 17432->17435 17440 b639f0 17432->17440 17436 b64005 17435->17436 17444 b640e0 17436->17444 17448 b640db 17436->17448 17443 b639fb 17440->17443 17441 b67233 17441->17432 17443->17441 17456 b66cd0 17443->17456 17445 b64107 17444->17445 17446 b641e4 17445->17446 17452 b63e30 17445->17452 17446->17446 17450 b64107 17448->17450 17449 b641e4 17449->17449 17450->17449 17451 b63e30 CreateActCtxA 17450->17451 17451->17449 17453 b65570 CreateActCtxA 17452->17453 17455 b65633 17453->17455 17457 b66cdb 17456->17457 17458 b66cf0 5 API calls 17457->17458 17459 b6730d 17458->17459 17459->17443 17242 4d60a18 SetWindowLongW 17243 4d60a84 17242->17243 17408 4d60988 17409 4d609ae 17408->17409 17412 4d61688 17409->17412 17413 4d616b5 17412->17413 17414 4d616e7 17413->17414 17416 4d61810 17413->17416 17417 4d61824 17416->17417 17420 4d618c8 17417->17420 17418 4d618b0 17418->17414 17421 4d618d9 17420->17421 17423 4d62d70 17420->17423 17421->17418 17426 4d62d90 17423->17426 17427 4d62dd2 17426->17427 17429 4d62d7a 17426->17429 17428 4d62e2a CallWindowProcW 17427->17428 17427->17429 17428->17429 17429->17421

                                            Executed Functions

                                            Function 00B69EF0, Relevance: 1.7, APIs: 1, Instructions: 188COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 136 b69ef0-b69f05 call b68a6c 139 b69f07 136->139 140 b69f1b-b69f1f 136->140 189 b69f0d call b6a177 139->189 190 b69f0d call b6a178 139->190 141 b69f33-b69f74 140->141 142 b69f21-b69f2b 140->142 147 b69f76-b69f7e 141->147 148 b69f81-b69f8f 141->148 142->141 143 b69f13-b69f15 143->140 144 b6a050-b6a110 143->144 184 b6a112-b6a115 144->184 185 b6a118-b6a143 GetModuleHandleW 144->185 147->148 150 b69fb3-b69fb5 148->150 151 b69f91-b69f96 148->151 152 b69fb8-b69fbf 150->152 153 b69fa1 151->153 154 b69f98-b69f9f call b68a78 151->154 156 b69fc1-b69fc9 152->156 157 b69fcc-b69fd3 152->157 155 b69fa3-b69fb1 153->155 154->155 155->152 156->157 160 b69fd5-b69fdd 157->160 161 b69fe0-b69fe9 call b68a88 157->161 160->161 166 b69ff6-b69ffb 161->166 167 b69feb-b69ff3 161->167 169 b69ffd-b6a004 166->169 170 b6a019-b6a026 166->170 167->166 169->170 172 b6a006-b6a016 call b68a98 call b69adc 169->172 176 b6a028-b6a046 170->176 177 b6a049-b6a04f 170->177 172->170 176->177 184->185 186 b6a145-b6a14b 185->186 187 b6a14c-b6a160 185->187 186->187 189->143 190->143
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00B6A136
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.696772530.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 28082ce85c012ff996290dd0038d99d1508fddf4da2e4efbf2c8180a4463075e
                                            • Instruction ID: a6e99b3484ed0ca4809847ee47c0afbd6b975cf337dc76f3db057e9be21159db
                                            • Opcode Fuzzy Hash: 28082ce85c012ff996290dd0038d99d1508fddf4da2e4efbf2c8180a4463075e
                                            • Instruction Fuzzy Hash: DF7114B0A00B058FDB24DF69D14179ABBF5FF88304F00896ED45AD7A40DB79E8458F91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04D607D0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 205 4d607d0-4d60836 206 4d60841-4d60848 205->206 207 4d60838-4d6083e 205->207 208 4d60853-4d608f2 CreateWindowExW 206->208 209 4d6084a-4d60850 206->209 207->206 211 4d608f4-4d608fa 208->211 212 4d608fb-4d60933 208->212 209->208 211->212 216 4d60935-4d60938 212->216 217 4d60940 212->217 216->217 218 4d60941 217->218 218->218
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D608E2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.702277270.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 71d10b9ae0230fc979fc2d8943e51583463405b8d940ba753ab0565324680068
                                            • Instruction ID: 67b9e929748192aa2f34bbfac70b7a57ceb5130b9d763d0095fc21a869dea768
                                            • Opcode Fuzzy Hash: 71d10b9ae0230fc979fc2d8943e51583463405b8d940ba753ab0565324680068
                                            • Instruction Fuzzy Hash: 3B41BFB1D103499FDF15DF9AC884ADEBBF5BF88314F24812AE819AB210D774A845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04D607CF, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 191 4d607cf-4d60836 192 4d60841-4d60848 191->192 193 4d60838-4d6083e 191->193 194 4d60853-4d608f2 CreateWindowExW 192->194 195 4d6084a-4d60850 192->195 193->192 197 4d608f4-4d608fa 194->197 198 4d608fb-4d60933 194->198 195->194 197->198 202 4d60935-4d60938 198->202 203 4d60940 198->203 202->203 204 4d60941 203->204 204->204
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D608E2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.702277270.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: bcffc906237e1ee10c1de2dab734097563f3539a1943f8746eda0d16fc8e1d1b
                                            • Instruction ID: d385fe8a6ce9cebe1abaaf24b805a4939a9ac9454f8a4d8c39b29ad35959c189
                                            • Opcode Fuzzy Hash: bcffc906237e1ee10c1de2dab734097563f3539a1943f8746eda0d16fc8e1d1b
                                            • Instruction Fuzzy Hash: 7241BFB1D103499FDF15DF99C884ADEBFB5BF88314F24812AE819AB210D774A845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B63E30, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 219 b63e30-b65631 CreateActCtxA 222 b65633-b65639 219->222 223 b6563a-b65694 219->223 222->223 230 b65696-b65699 223->230 231 b656a3-b656a7 223->231 230->231 232 b656b8 231->232 233 b656a9-b656b5 231->233 235 b656b9 232->235 233->232 235->235
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00B65621
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.696772530.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 734170c719a9593a7a41982f94f51edf557aaef4c55eb87fcfbf17d778666bda
                                            • Instruction ID: 031498aa018308127da44cf314b27df28f48ef379c4d6327ebcf7d6629bdd95f
                                            • Opcode Fuzzy Hash: 734170c719a9593a7a41982f94f51edf557aaef4c55eb87fcfbf17d778666bda
                                            • Instruction Fuzzy Hash: 0A410470D00619CFDB24DFA9C8447CEBBF5BF48304F608469D409AB251DB756946CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B6556F, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 236 b6556f-b65631 CreateActCtxA 238 b65633-b65639 236->238 239 b6563a-b65694 236->239 238->239 246 b65696-b65699 239->246 247 b656a3-b656a7 239->247 246->247 248 b656b8 247->248 249 b656a9-b656b5 247->249 251 b656b9 248->251 249->248 251->251
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00B65621
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.696772530.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 76dac4105289aadc21fe446c9d79a5b345dae1f4d5b8efe01ef606ef8d2b1557
                                            • Instruction ID: c1b45f5b4cdd3d6d34cf94168ec52dabdff05e2dbd27bbb348179860548e0eee
                                            • Opcode Fuzzy Hash: 76dac4105289aadc21fe446c9d79a5b345dae1f4d5b8efe01ef606ef8d2b1557
                                            • Instruction Fuzzy Hash: 8441E171D00619CFDB24DFA9C884BCEBBF5BF88308F608469D408AB251DB796946CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04D62D90, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 252 4d62d90-4d62dcc 253 4d62dd2-4d62dd7 252->253 254 4d62e7c-4d62e9c 252->254 255 4d62e2a-4d62e62 CallWindowProcW 253->255 256 4d62dd9-4d62e10 253->256 260 4d62e9f-4d62eac 254->260 257 4d62e64-4d62e6a 255->257 258 4d62e6b-4d62e7a 255->258 263 4d62e12-4d62e18 256->263 264 4d62e19-4d62e28 256->264 257->258 258->260 263->264 264->260
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 04D62E51
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.702277270.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: c9a2ec5f2961d4ea2db2aa9cf780822536c0f671e76a03859b1d7c91e901ba9f
                                            • Instruction ID: 157f7719e91a690f6d0cb8a39638e217ffb08067a2a7a9842a79b8d642bb6119
                                            • Opcode Fuzzy Hash: c9a2ec5f2961d4ea2db2aa9cf780822536c0f671e76a03859b1d7c91e901ba9f
                                            • Instruction Fuzzy Hash: E64118B4A00205CFDB14DF99C448AAABBF5FB88314F15C499E419AB321D734E841CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B69E90, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 266 b69e90-b6c1ac DuplicateHandle 268 b6c1b5-b6c1d2 266->268 269 b6c1ae-b6c1b4 266->269 269->268
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B6C0DE,?,?,?,?,?), ref: 00B6C19F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.696772530.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 0c3dca7f96ee68a4a1f54a80efbaee0f8466b7737ddcb4412ab208587cdfefa3
                                            • Instruction ID: aabb5fca122d940b049f3d781005b2f844bdcfc12e141b3e3d9026d3fe829626
                                            • Opcode Fuzzy Hash: 0c3dca7f96ee68a4a1f54a80efbaee0f8466b7737ddcb4412ab208587cdfefa3
                                            • Instruction Fuzzy Hash: B32103B59002089FDB10CFAAD884AEEBFF4EB48320F14805AE954B7311D378A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B6C111, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 272 b6c111-b6c1ac DuplicateHandle 273 b6c1b5-b6c1d2 272->273 274 b6c1ae-b6c1b4 272->274 274->273
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B6C0DE,?,?,?,?,?), ref: 00B6C19F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.696772530.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: d8f0f024ec1c2f8d129628851dbafc74fb2deea2163d2281a73e4302571c3538
                                            • Instruction ID: 263fa0cbe55a5f003be3daa0498b8267456a5e5aa5c68c43727b67a475c32afb
                                            • Opcode Fuzzy Hash: d8f0f024ec1c2f8d129628851dbafc74fb2deea2163d2281a73e4302571c3538
                                            • Instruction Fuzzy Hash: 4B21E0B5900209DFDB10CFA9D584ADEBBF5FB48320F14841AE959A7350D378AA54CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B69B08, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B6A1B1,00000800,00000000,00000000), ref: 00B6A3C2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.696772530.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 024721d7a8c30ecec499e3527b9362fb97e57e517bd66541ff1a6c84dfb963f9
                                            • Instruction ID: dad243c2c76ce2dc737f5e5986345927fce13bcb17829e9221c95304a7b11ce1
                                            • Opcode Fuzzy Hash: 024721d7a8c30ecec499e3527b9362fb97e57e517bd66541ff1a6c84dfb963f9
                                            • Instruction Fuzzy Hash: 491103B69003099FDB10CF9AC444A9EFBF4EB88314F14846AD516B7300C378A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B6A353, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B6A1B1,00000800,00000000,00000000), ref: 00B6A3C2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.696772530.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: af8e7600fef8dd6a5b711f5faeaefca514006e3fba5e0283c663586ea24d7ddf
                                            • Instruction ID: eb626a28013440dfcf632d54d1ab25a646ab1abfe6eb885f141d5a773ec52b94
                                            • Opcode Fuzzy Hash: af8e7600fef8dd6a5b711f5faeaefca514006e3fba5e0283c663586ea24d7ddf
                                            • Instruction Fuzzy Hash: C811E4B6D00209CFDB10CF9AD444ADEFBF5EB98324F14842AD419A7750C379A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B6A0D0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00B6A136
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.696772530.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: b6cfd22719fec1ce6b06a834c26c1906df89660ae5354147b7140893edcff307
                                            • Instruction ID: 5a2cec2ccc185b837ba94c2b0c1a8a286865ed06aa46e83b39803b147f0843a4
                                            • Opcode Fuzzy Hash: b6cfd22719fec1ce6b06a834c26c1906df89660ae5354147b7140893edcff307
                                            • Instruction Fuzzy Hash: DE11D2B6D006498FCB10DF9AC444ADEFBF4EB89324F14845AD429B7600D379A545CFA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04D60A18, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,?,?), ref: 04D60A75
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.702277270.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: 2001ceccf135544cc9c03758e2cc105f1dcb08f19b186a1c5f9dd55f967b5832
                                            • Instruction ID: 30276bf766f26371cc51905189af74dc3f0130c0d9a4aac93b1c6d7e7442dfbf
                                            • Opcode Fuzzy Hash: 2001ceccf135544cc9c03758e2cc105f1dcb08f19b186a1c5f9dd55f967b5832
                                            • Instruction Fuzzy Hash: 9011D0B59002499FDB10DF9AD484BDEFBF8EB88324F10851AD955A7740C378A944CFA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 003C6AB9, Relevance: 1.1, Instructions: 1084COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.696087469.00000000003C2000.00000002.00020000.sdmp, Offset: 003C0000, based on PE: true
                                            • Associated: 00000000.00000002.696078646.00000000003C0000.00000002.00020000.sdmp Download File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3c0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7b300ffdc025c5d5178c359ac99c6330fa7ad9eed6b2af60cfbb818ebdeb797a
                                            • Instruction ID: e2428d716ffdfde7a1b873ac5a710f07b7cfee3ccac30df0e98214a910d02f83
                                            • Opcode Fuzzy Hash: 7b300ffdc025c5d5178c359ac99c6330fa7ad9eed6b2af60cfbb818ebdeb797a
                                            • Instruction Fuzzy Hash: 0FA2DF6144E7C19FC7438B748CAA6817FB0AE1322471E85EBC4C5CF5B3D269684ADB63
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B6EDD8, Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.696772530.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8b0967f07a3ce38f5a52e3480a24c5ab8aa70799ddab446d7c191031eb60b018
                                            • Instruction ID: 09579fed0d5f06b0216b8a9af0afad7ef1eb6fdddb6df28554567431c4302cd4
                                            • Opcode Fuzzy Hash: 8b0967f07a3ce38f5a52e3480a24c5ab8aa70799ddab446d7c191031eb60b018
                                            • Instruction Fuzzy Hash: 3A1292B1611B469BD310CF65EC983AD3BA1B74632DB90C308D2612FAF1D7B8194AEF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B6C994, Relevance: .3, Instructions: 265COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.696772530.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 339fc5b3f45152fac373f3c03009df339b568eb80eaa4acd57c84b0d39e8d9b6
                                            • Instruction ID: e385cc82b2ac3d65f3124c246f3f5686c8d27f6957f57c9fced7b3a34b567dea
                                            • Opcode Fuzzy Hash: 339fc5b3f45152fac373f3c03009df339b568eb80eaa4acd57c84b0d39e8d9b6
                                            • Instruction Fuzzy Hash: 97A15B36E00219CFCF05DFA5C8445AEBBF2FF85304B1585AAE915AB225EB79E905CB40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B6EDC9, Relevance: .2, Instructions: 223COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.696772530.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b60000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: add5c2a3b8aa8fdc3b603227c3c7a177a9e56415fa605635c81250072db3c5c2
                                            • Instruction ID: 0f6035f58632b28ba17e4373445fe91fb60c07a8ffb641b82877414c09639a28
                                            • Opcode Fuzzy Hash: add5c2a3b8aa8fdc3b603227c3c7a177a9e56415fa605635c81250072db3c5c2
                                            • Instruction Fuzzy Hash: 4DC1F5B1A11B468BD710CF65EC9839D7B71BB8632CF518308D2612BAE1D7B8184ADF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Analysis Process: PO# 6100003560, items 00090 and 00100.exe PID: 3112 Parent PID: 7120 PO# 6100003560, items 00090 and 00100.exeCOMMON

                                            Execution Graph

                                            Execution Coverage:9.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:2.4%
                                            Total number of Nodes:170
                                            Total number of Limit Nodes:17

                                            Graph

                                            execution_graph 30712 14d6b68 DuplicateHandle 30713 14d6bfe 30712->30713 30714 14d15a8 30715 14d15da 30714->30715 30718 14d1300 30715->30718 30717 14d16ff 30719 14d130b 30718->30719 30723 14d3650 30719->30723 30732 14d3660 30719->30732 30720 14d1c42 30720->30717 30724 14d3654 30723->30724 30741 14d3cf6 30724->30741 30746 14d3bd0 30724->30746 30725 14d3708 30728 14d3731 30725->30728 30751 14d32d8 30725->30751 30733 14d368a 30732->30733 30738 14d3cf6 GetModuleHandleW 30733->30738 30739 14d3bd0 GetModuleHandleW 30733->30739 30734 14d3708 30735 14d32d8 GetModuleHandleW 30734->30735 30737 14d3731 30734->30737 30736 14d375b 30735->30736 30740 14d500f CreateWindowExW 30736->30740 30738->30734 30739->30734 30740->30737 30742 14d3ce4 30741->30742 30743 14d3c6f 30741->30743 30742->30725 30743->30742 30761 14d3d50 30743->30761 30771 14d3d43 30743->30771 30747 14d3bb4 30746->30747 30747->30746 30748 14d3ce4 30747->30748 30749 14d3d50 GetModuleHandleW 30747->30749 30750 14d3d43 GetModuleHandleW 30747->30750 30748->30725 30749->30747 30750->30747 30752 14d40b0 GetModuleHandleW 30751->30752 30754 14d375b 30752->30754 30755 14d500f 30754->30755 30756 14d4f9a 30755->30756 30758 14d501a 30755->30758 30756->30728 30757 14d5046 30757->30728 30758->30728 30758->30757 30759 14d5153 CreateWindowExW 30758->30759 30760 14d51b4 30759->30760 30760->30760 30762 14d3d65 30761->30762 30763 14d32d8 GetModuleHandleW 30762->30763 30764 14d3daa 30762->30764 30763->30764 30765 14d32d8 GetModuleHandleW 30764->30765 30770 14d3f76 30764->30770 30766 14d3efb 30765->30766 30767 14d32d8 GetModuleHandleW 30766->30767 30766->30770 30768 14d3f49 30767->30768 30769 14d32d8 GetModuleHandleW 30768->30769 30768->30770 30769->30770 30770->30743 30772 14d3d50 30771->30772 30773 14d32d8 GetModuleHandleW 30772->30773 30774 14d3daa 30772->30774 30773->30774 30775 14d32d8 GetModuleHandleW 30774->30775 30780 14d3f76 30774->30780 30776 14d3efb 30775->30776 30777 14d32d8 GetModuleHandleW 30776->30777 30776->30780 30778 14d3f49 30777->30778 30779 14d32d8 GetModuleHandleW 30778->30779 30778->30780 30779->30780 30780->30743 30781 136d01c 30782 136d034 30781->30782 30783 136d08e 30782->30783 30788 14d7b5f 30782->30788 30797 14d3574 30782->30797 30805 14d5238 30782->30805 30809 14d5248 30782->30809 30789 14d7b23 30788->30789 30790 14d7b74 30788->30790 30791 14d7bf1 30790->30791 30793 14d7be1 30790->30793 30821 14d7780 30791->30821 30813 14d7d08 30793->30813 30817 14d7d18 30793->30817 30794 14d7bef 30798 14d357f 30797->30798 30799 14d7bf1 30798->30799 30801 14d7be1 30798->30801 30800 14d7780 CallWindowProcW 30799->30800 30802 14d7bef 30800->30802 30803 14d7d08 CallWindowProcW 30801->30803 30804 14d7d18 CallWindowProcW 30801->30804 30803->30802 30804->30802 30806 14d5248 30805->30806 30807 14d3574 CallWindowProcW 30806->30807 30808 14d528f 30807->30808 30808->30783 30810 14d526e 30809->30810 30811 14d3574 CallWindowProcW 30810->30811 30812 14d528f 30811->30812 30812->30783 30815 14d7d0c 30813->30815 30814 14d7780 CallWindowProcW 30814->30815 30815->30814 30816 14d7e13 30815->30816 30816->30794 30820 14d7d26 30817->30820 30818 14d7780 CallWindowProcW 30818->30820 30819 14d7e13 30819->30794 30820->30818 30820->30819 30822 14d778b 30821->30822 30823 14d7ee2 CallWindowProcW 30822->30823 30824 14d7e91 30822->30824 30823->30824 30824->30794 30611 14d6940 GetCurrentProcess 30612 14d69ba GetCurrentThread 30611->30612 30615 14d69b3 30611->30615 30613 14d69f7 GetCurrentProcess 30612->30613 30614 14d69f0 30612->30614 30618 14d6a2d 30613->30618 30614->30613 30615->30612 30616 14d6a55 GetCurrentThreadId 30617 14d6a86 30616->30617 30618->30616 30619 fd0fb0 30620 fd0fd0 BasepGetExeArchType 30619->30620 30622 fd0ff5 BasepGetExeArchType 30620->30622 30624 fd1033 30622->30624 30625 fdcf70 30626 fdcf8f 30625->30626 30627 fdcfc3 LdrInitializeThunk 30626->30627 30628 fdcfe0 30627->30628 30847 fd100f 30848 fd1016 BasepGetExeArchType 30847->30848 30850 fd1033 30848->30850 30641 fdbfa8 30650 fdbfc7 30641->30650 30642 fdcbf9 30644 fdcbcc 30644->30642 30645 fdccb7 BasepGetExeArchType 30644->30645 30646 fdcccd BasepGetExeArchType 30645->30646 30649 fdcd0b 30646->30649 30648 fdc09a 30650->30644 30650->30648 30651 fd7948 30650->30651 30652 fd7962 30651->30652 30653 fd7967 30652->30653 30655 14da323 CreateThreadpoolIo 30652->30655 30656 fd7728 CreateThreadpoolIo 30652->30656 30653->30650 30655->30652 30656->30652 30661 14db990 30662 14db9a4 30661->30662 30665 14dbbda 30662->30665 30671 14dbdbc 30665->30671 30676 14dbcb0 30665->30676 30681 14dbcc0 30665->30681 30686 14dbdd6 30665->30686 30672 14dbd6f 30671->30672 30672->30671 30673 14dbdfb 30672->30673 30691 14dc109 30672->30691 30699 14dc0b8 30672->30699 30677 14dbd04 30676->30677 30678 14dbdfb 30677->30678 30679 14dc109 2 API calls 30677->30679 30680 14dc0b8 2 API calls 30677->30680 30679->30678 30680->30678 30682 14dbd04 30681->30682 30683 14dbdfb 30682->30683 30684 14dc109 2 API calls 30682->30684 30685 14dc0b8 2 API calls 30682->30685 30684->30683 30685->30683 30687 14dbde9 30686->30687 30688 14dbdfb 30686->30688 30689 14dc109 2 API calls 30687->30689 30690 14dc0b8 2 API calls 30687->30690 30689->30688 30690->30688 30692 14dc0b2 30691->30692 30694 14dc112 30691->30694 30697 14dc109 RtlEncodePointer 30692->30697 30704 14dc118 30692->30704 30693 14dc0e6 30693->30673 30695 14dc17c RtlEncodePointer 30694->30695 30696 14dc1a5 30694->30696 30695->30696 30696->30673 30697->30693 30700 14dc0d6 30699->30700 30702 14dc109 2 API calls 30700->30702 30703 14dc118 RtlEncodePointer 30700->30703 30701 14dc0e6 30701->30673 30702->30701 30703->30701 30705 14dc152 30704->30705 30706 14dc17c RtlEncodePointer 30705->30706 30707 14dc1a5 30705->30707 30706->30707 30707->30693 30857 fd0040 30858 fd005f 30857->30858 30859 fd018a 30858->30859 30860 fd0647 BasepGetExeArchType 30858->30860 30861 fd065d BasepGetExeArchType 30860->30861 30863 fd069b 30861->30863

                                            Executed Functions

                                            Function 00FDBFA8, Relevance: 4.0, APIs: 2, Instructions: 1011COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 62fbeae5f00d18ad878687f5a941c08b5354dc9d4389c05a9b9ab809d54710bd
                                            • Instruction ID: 339ae55d50416519362e6ac3d61fd70cff962ad7e3d51bb15b0d720dcd39b0f8
                                            • Opcode Fuzzy Hash: 62fbeae5f00d18ad878687f5a941c08b5354dc9d4389c05a9b9ab809d54710bd
                                            • Instruction Fuzzy Hash: BE82EE30B042068FCB15EBB4D4586AE7BF3AF85304F2984AAD449DB3A5DB35DC06CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FDCF70, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 2553744e373d52a78f34bc19bfc586ac4de20b71dd5566d1ef2e3af852794795
                                            • Instruction ID: b043275cb8caeef3f8d79dd6ca77d8c6c6dc766facebffe15f4a5bac445a0ceb
                                            • Opcode Fuzzy Hash: 2553744e373d52a78f34bc19bfc586ac4de20b71dd5566d1ef2e3af852794795
                                            • Instruction Fuzzy Hash: C551C331B102059BCB14EBB4C855AEEB7BABF84304F14856EE4169B394DF74EC05CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 014D6903, Relevance: 6.1, APIs: 4, Instructions: 143threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 014D69A0
                                            • GetCurrentThread.KERNEL32 ref: 014D69DD
                                            • GetCurrentProcess.KERNEL32 ref: 014D6A1A
                                            • GetCurrentThreadId.KERNEL32 ref: 014D6A73
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932252850.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_14d0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: b1077b02c4e7e8127722e30e06a8c7b2f6727a02ab2afe343b4ac813218eef79
                                            • Instruction ID: 77feec92f52694c0393504f88be9b570c92ba88c5b1de6e45bc890c6e04b34a9
                                            • Opcode Fuzzy Hash: b1077b02c4e7e8127722e30e06a8c7b2f6727a02ab2afe343b4ac813218eef79
                                            • Instruction Fuzzy Hash: F85178B09042458FEB04CFA9D998BDEBFF1EF49304F25885AE149A7361D7745884CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 014D6940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 014D69A0
                                            • GetCurrentThread.KERNEL32 ref: 014D69DD
                                            • GetCurrentProcess.KERNEL32 ref: 014D6A1A
                                            • GetCurrentThreadId.KERNEL32 ref: 014D6A73
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932252850.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_14d0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 451ae2d3ed4cbc10bed21354db3c90158f61296adabe36052245012356857c26
                                            • Instruction ID: d99a0af8e6a5b12366edf23fac57ae9bec0e83202a2ade712c72ab04af3c1c73
                                            • Opcode Fuzzy Hash: 451ae2d3ed4cbc10bed21354db3c90158f61296adabe36052245012356857c26
                                            • Instruction Fuzzy Hash: 495156B0D002498FDB14CFAAD548BDEBBF1EF88314F21845AE159A7360DB749844CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD0040, Relevance: 3.5, APIs: 2, Instructions: 482COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1122 fd0040-fd0130 1144 fd02af-fd03cc 1122->1144 1145 fd0136-fd0188 1122->1145 1233 fd0548-fd0552 1144->1233 1234 fd03d2-fd0424 1144->1234 1156 fd018a-fd0193 1145->1156 1157 fd0194-fd019f 1145->1157 1160 fd055e-fd0587 1157->1160 1161 fd01a5-fd01af 1157->1161 1165 fd05ac-fd05d7 1160->1165 1166 fd0589-fd0593 1160->1166 1161->1144 1162 fd01b5-fd01ea 1161->1162 1182 fd01ec-fd01f6 1162->1182 1183 fd01f8 1162->1183 1175 fd05fc-fd0693 BasepGetExeArchType * 2 1165->1175 1176 fd05d9-fd05e3 1165->1176 1169 fd05a8-fd05ab 1166->1169 1170 fd0595-fd05a6 1166->1170 1170->1169 1214 fd069b-fd06d3 1175->1214 1179 fd05f8-fd05fb 1176->1179 1180 fd05e5-fd05f6 1176->1180 1180->1179 1185 fd01fd-fd01ff 1182->1185 1183->1185 1188 fd0299-fd029d 1185->1188 1189 fd0205-fd0207 1185->1189 1188->1160 1190 fd02a3-fd02a9 1188->1190 1191 fd0209-fd0213 1189->1191 1192 fd0215 1189->1192 1190->1144 1190->1162 1194 fd021a-fd021c 1191->1194 1192->1194 1194->1188 1197 fd021e-fd0222 1194->1197 1198 fd0224-fd0231 1197->1198 1199 fd0233 1197->1199 1202 fd0238-fd023a 1198->1202 1199->1202 1202->1188 1203 fd023c-fd027d 1202->1203 1203->1188 1240 fd0426-fd0430 1234->1240 1241 fd0431-fd043c 1234->1241 1241->1160 1243 fd0442-fd044c 1241->1243 1243->1233 1244 fd0452-fd0489 1243->1244 1248 fd048b-fd0498 1244->1248 1249 fd049a 1244->1249 1250 fd049f-fd04a1 1248->1250 1249->1250 1251 fd04a7-fd04a9 1250->1251 1252 fd0536-fd053a 1250->1252 1254 fd04ab-fd04b5 1251->1254 1255 fd04b7 1251->1255 1252->1160 1253 fd053c-fd0542 1252->1253 1253->1233 1253->1244 1256 fd04bc-fd04be 1254->1256 1255->1256 1256->1252 1257 fd04c0-fd04c2 1256->1257 1258 fd04c4-fd04ce 1257->1258 1259 fd04d0 1257->1259 1260 fd04d5-fd04d7 1258->1260 1259->1260 1260->1252 1261 fd04d9-fd051a 1260->1261 1261->1252
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8bb61a489ad2a41b8c87d499683f3f14e8500d59a9a356651a46aa5bfd50d4a0
                                            • Instruction ID: 7b83c7358b78715fd2b62f5ccbb0a2cb76bb357e9a2434ad18359bb3029ae5a7
                                            • Opcode Fuzzy Hash: 8bb61a489ad2a41b8c87d499683f3f14e8500d59a9a356651a46aa5bfd50d4a0
                                            • Instruction Fuzzy Hash: 8F029A31B042058FCB15EBB4D4586AEBBF2AF85314F14856AD819DB3A5DF34DC06CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD0F01, Relevance: 3.1, APIs: 2, Instructions: 115COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1269 fd0f01-fd0f1f 1270 fd0f44-fd0f6f 1269->1270 1271 fd0f21-fd0f2b 1269->1271 1275 fd0f94-fd0fd7 1270->1275 1276 fd0f71-fd0f7b 1270->1276 1272 fd0f2d-fd0f3e 1271->1272 1273 fd0f40-fd0f43 1271->1273 1272->1273 1283 fd0fdf-fd0fed BasepGetExeArchType 1275->1283 1278 fd0f7d-fd0f8e 1276->1278 1279 fd0f90-fd0f93 1276->1279 1278->1279 1284 fd0ff5-fd100d 1283->1284 1287 fd1020-fd102b BasepGetExeArchType 1284->1287 1288 fd1033-fd106b 1287->1288
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD0FE8
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1026
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: 4ec867ce760d21ad10aaff8dfe022d346a410126c05b440cc35ff28891e353cb
                                            • Instruction ID: 415a72e4801d0f61d0f435894bf8c991598469ed164b12a348209107101f809d
                                            • Opcode Fuzzy Hash: 4ec867ce760d21ad10aaff8dfe022d346a410126c05b440cc35ff28891e353cb
                                            • Instruction Fuzzy Hash: CB418530B043458FD752DB78D8556AE7BF2AF89200B15C4ABD489DB356EB34DC068B51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FDD151, Relevance: 3.1, APIs: 2, Instructions: 110COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1292 fdd151-fdd15d 1293 fdd15f-fdd16f 1292->1293 1294 fdd195-fdd1bf 1292->1294 1295 fdd194 1293->1295 1296 fdd171-fdd17b 1293->1296 1297 fdd1e4-fdd227 1294->1297 1298 fdd1c1-fdd1cb 1294->1298 1295->1294 1299 fdd17d-fdd18e 1296->1299 1300 fdd190-fdd193 1296->1300 1308 fdd22f-fdd23d BasepGetExeArchType 1297->1308 1301 fdd1cd-fdd1de 1298->1301 1302 fdd1e0-fdd1e3 1298->1302 1299->1300 1301->1302 1309 fdd245-fdd25d 1308->1309 1312 fdd270-fdd27b BasepGetExeArchType 1309->1312 1313 fdd283-fdd2bb 1312->1313
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FDD238
                                            • BasepGetExeArchType.KERNEL32 ref: 00FDD276
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: d253d2291208c7ff062d1616ca7987ac80e947f61a516b28b0b7df9fac6faeee
                                            • Instruction ID: 1f31c9cde4b159adcf2ed39f4baf67b843f8afe37e91059842dca9911b85255e
                                            • Opcode Fuzzy Hash: d253d2291208c7ff062d1616ca7987ac80e947f61a516b28b0b7df9fac6faeee
                                            • Instruction Fuzzy Hash: 6641A271B043458FDB41EBB8C8506AE7BF2AF89304F1984ABD449DB756EA349C068B51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD1070, Relevance: 3.1, APIs: 2, Instructions: 85COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1317 fd1070-fd107d 1318 fd107f-fd108f 1317->1318 1319 fd10b5-fd10f7 1317->1319 1321 fd10b4 1318->1321 1322 fd1091-fd109b 1318->1322 1325 fd10ff-fd110d BasepGetExeArchType 1319->1325 1321->1319 1323 fd109d-fd10ae 1322->1323 1324 fd10b0-fd10b3 1322->1324 1323->1324 1327 fd1115-fd112d 1325->1327 1330 fd1140-fd114b BasepGetExeArchType 1327->1330 1331 fd1153-fd118b 1330->1331
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1108
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1146
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: ee56e5dfa0f9bd92c0b6ce7169913e33edccefc68268fa5a0148aed1677fe021
                                            • Instruction ID: 58b6fa006aa1594062151268eacd97e7165c13592ec2f7334d793013f50e8ad8
                                            • Opcode Fuzzy Hash: ee56e5dfa0f9bd92c0b6ce7169913e33edccefc68268fa5a0148aed1677fe021
                                            • Instruction Fuzzy Hash: 4F31E630B043599FC741EBB8C855AAE7BF2BF89300B1480AAD549DB355EB349C02CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD12B1, Relevance: 3.1, APIs: 2, Instructions: 82COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1335 fd12b1-fd12cf 1336 fd12f4-fd1337 1335->1336 1337 fd12d1-fd12db 1335->1337 1343 fd133f-fd134d BasepGetExeArchType 1336->1343 1338 fd12dd-fd12ee 1337->1338 1339 fd12f0-fd12f3 1337->1339 1338->1339 1344 fd1355-fd136d 1343->1344 1347 fd1380-fd138b BasepGetExeArchType 1344->1347 1348 fd1393-fd13cb 1347->1348
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1348
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1386
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: 87282d9c5effec0b495037bf4dc1f15be702430c39bed9f3b81df5524462cbe3
                                            • Instruction ID: bf99363f387deebaebcd8246270a2c8acbb6bc4bb6a943581d4f3d583b94b2fa
                                            • Opcode Fuzzy Hash: 87282d9c5effec0b495037bf4dc1f15be702430c39bed9f3b81df5524462cbe3
                                            • Instruction Fuzzy Hash: 55218330B042469FCB45EBB8C855AEE7BF2AB89310B1585BAD149DB355EB349C028B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD1191, Relevance: 3.1, APIs: 2, Instructions: 81COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1352 fd1191-fd11af 1353 fd11d4-fd1217 1352->1353 1354 fd11b1-fd11bb 1352->1354 1361 fd121f-fd122d BasepGetExeArchType 1353->1361 1355 fd11bd-fd11ce 1354->1355 1356 fd11d0-fd11d3 1354->1356 1355->1356 1362 fd1235-fd124d 1361->1362 1365 fd1260-fd126b BasepGetExeArchType 1362->1365 1366 fd1273-fd12ab 1365->1366
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1228
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1266
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: fa74d49cdee0ea5abbfb8eb2c153f376b1606d4f5f22e76063523179af7b3ab0
                                            • Instruction ID: 9ba032ecb5443e4928f5d8d01eae94ca691517595068b630a74bdfba999aef20
                                            • Opcode Fuzzy Hash: fa74d49cdee0ea5abbfb8eb2c153f376b1606d4f5f22e76063523179af7b3ab0
                                            • Instruction Fuzzy Hash: 4921E530B082498FCB41E7B8C854AAE7BF2AB89304B15C4AAD549D7795EB34AC06CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FDDB84, Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1370 fddb84-fddbb7 1372 fddbbf-fddbcd BasepGetExeArchType 1370->1372 1373 fddbd5-fddbed 1372->1373 1376 fddc00-fddc0b BasepGetExeArchType 1373->1376 1377 fddc13-fddc4b 1376->1377
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FDDBC8
                                            • BasepGetExeArchType.KERNEL32 ref: 00FDDC06
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: 01d3042d3c4fb9e7d3c0f4e5e1cb712582e56fef7de83cf4414616770ba415f3
                                            • Instruction ID: 4bfb3bc8d449652ac0c047ce6304ea25a53b12d1f0676c3e67f2e75898d4a5d7
                                            • Opcode Fuzzy Hash: 01d3042d3c4fb9e7d3c0f4e5e1cb712582e56fef7de83cf4414616770ba415f3
                                            • Instruction Fuzzy Hash: D4117371F001198FCB80EBBCC8559AEB7F2BFC8200754846AD549E7354EF349D128B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD10D0, Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1403 fd10d0-fd114b BasepGetExeArchType * 2 1410 fd1153-fd118b 1403->1410
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1108
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1146
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: 6ad1731b6596066431b4c7d37251647eff0165391b4cc3d3ee277bb0596787ec
                                            • Instruction ID: 912683c62b4fced6e058185e8a4f6c2b9116de6f6a6ecfe8481ae9d3018c01e3
                                            • Opcode Fuzzy Hash: 6ad1731b6596066431b4c7d37251647eff0165391b4cc3d3ee277bb0596787ec
                                            • Instruction Fuzzy Hash: 10113031B0011A9F8B84EBBDC8559AF77F6FB886107508429D549E7314EF34AD028B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD11F0, Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1414 fd11f0-fd126b BasepGetExeArchType * 2 1421 fd1273-fd12ab 1414->1421
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1228
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1266
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: eec726d1e0c3de92d1d4ace86733241bc5935a91392543d341f6556c65a29cdf
                                            • Instruction ID: 3eba29311d815f8e8668c42b3c600b6862202ed1b6d81836e774609c7f6b4ed3
                                            • Opcode Fuzzy Hash: eec726d1e0c3de92d1d4ace86733241bc5935a91392543d341f6556c65a29cdf
                                            • Instruction Fuzzy Hash: FD111E31F001199FCB80EBBDD8549AE7BF6FBC8614B508469D549E7354EF34AD028B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FDD200, Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FDD238
                                            • BasepGetExeArchType.KERNEL32 ref: 00FDD276
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: 5909ab308d8f944f75520b730a116966634b97a8ab21dec05b71a234edf94347
                                            • Instruction ID: 70ab15a894d2eb4b09a04393003cbb8872cf6bedecc1c5c2f3e3ba0bad611a8b
                                            • Opcode Fuzzy Hash: 5909ab308d8f944f75520b730a116966634b97a8ab21dec05b71a234edf94347
                                            • Instruction Fuzzy Hash: 1A115E31B0011A9F8B80EBBCC854AAE77F6FF88250B508469D549E7318EF34AD168B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FDDB90, Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FDDBC8
                                            • BasepGetExeArchType.KERNEL32 ref: 00FDDC06
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: 1bb302bd0b1a0f4a569e152c3badf3a63df4448181c3b22e842e3c3a3d82a983
                                            • Instruction ID: 3ce3971cfe11c9d195abe4c3605a93c61126ba4eba53860fce5d1c5e04830bf0
                                            • Opcode Fuzzy Hash: 1bb302bd0b1a0f4a569e152c3badf3a63df4448181c3b22e842e3c3a3d82a983
                                            • Instruction Fuzzy Hash: 3D115E31F001198F8B80EBBCC8549AEB7F6FBC8210B50842AD549E7354EF34AD028B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD1310, Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1425 fd1310-fd138b BasepGetExeArchType * 2 1432 fd1393-fd13cb 1425->1432
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1348
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1386
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: 609200489da9e4023d9a8f463ee59e4d99885fc3d51a86f59d0ce589dd4693e4
                                            • Instruction ID: a9fb0c6f143f275ca5463bb7d1ae6bdad5001ef470d9ba45b5f35496484de262
                                            • Opcode Fuzzy Hash: 609200489da9e4023d9a8f463ee59e4d99885fc3d51a86f59d0ce589dd4693e4
                                            • Instruction Fuzzy Hash: DB115B31F001199F8B80EBBCC8549AE7BF6FBC8210B508469D54AE7354EF34AD028F91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FDCC88, Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1436 fdcc88-fdcd03 BasepGetExeArchType * 2 1443 fdcd0b-fdcd43 1436->1443
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FDCCC0
                                            • BasepGetExeArchType.KERNEL32 ref: 00FDCCFE
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: f74444a154ea39f3e291a130d80e5657c5e2641013a01b46fb14f50fa4274b25
                                            • Instruction ID: 64abd15eb2ed6a636f76971ac29d11667c37616c97f0d439689fb95e6746c82b
                                            • Opcode Fuzzy Hash: f74444a154ea39f3e291a130d80e5657c5e2641013a01b46fb14f50fa4274b25
                                            • Instruction Fuzzy Hash: 7B115231B105198FCB80EBBCC8549AEB7F6FB88214B508529D549E7314EF34AD128B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD0618, Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1381 fd0618-fd063f 1383 fd0647-fd0655 BasepGetExeArchType 1381->1383 1384 fd065d-fd0675 1383->1384 1387 fd0688-fd0693 BasepGetExeArchType 1384->1387 1388 fd069b-fd06d3 1387->1388
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD0650
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD068E
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: 620fe931267c28acbc674831049f2089178693fa338f73fa694d16aa24f7d6dc
                                            • Instruction ID: ab42cd15dc09369c1bfa7bac0639661e440a9d3993360b41b47830c05a32d2e2
                                            • Opcode Fuzzy Hash: 620fe931267c28acbc674831049f2089178693fa338f73fa694d16aa24f7d6dc
                                            • Instruction Fuzzy Hash: C2115231B001199F8B80EBBCD8549EE7BF6FBC8210B54C529D549E7354EF34AD128B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD0FB0, Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1392 fd0fb0-fd102b BasepGetExeArchType * 2 1399 fd1033-fd106b 1392->1399
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD0FE8
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1026
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: bd75518f88ab9ed9c0fec09ab31ed38169b937bb6a3dcfe7003028d6744bb35b
                                            • Instruction ID: fecb509bc6f2caa9abce9284a01fe7b13f949c67c2429a924939cf1f7108105d
                                            • Opcode Fuzzy Hash: bd75518f88ab9ed9c0fec09ab31ed38169b937bb6a3dcfe7003028d6744bb35b
                                            • Instruction Fuzzy Hash: 1C115231B002198F8B80EBBCD854AAE77F6FF88210B50C429D549E7314EF34AD128F91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FDCEC1, Relevance: 1.7, APIs: 1, Instructions: 194libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: bf6160425d07bfe4437751f207301df67e6879a156236a906b1c5d8c63a9fc26
                                            • Instruction ID: ae9d6a085e059267cfead1566827630cff69e64c629dabda5aad6781bf2c347f
                                            • Opcode Fuzzy Hash: bf6160425d07bfe4437751f207301df67e6879a156236a906b1c5d8c63a9fc26
                                            • Instruction Fuzzy Hash: 2561E131B043059FCB04EB74C854AAE7BB6AF85304F1885AAE046DB395DF74DC09CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 014D500F, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932252850.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_14d0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 845b5edae81addcd875db8038a998ed0737aed9d8a47e7c12016f31f9d79c474
                                            • Instruction ID: 7c09f002d407018c7976c787e08fe8a3a15b7ccccd0a487867abf2ca519ebcd0
                                            • Opcode Fuzzy Hash: 845b5edae81addcd875db8038a998ed0737aed9d8a47e7c12016f31f9d79c474
                                            • Instruction Fuzzy Hash: C26132B1C04249AFDF12CFA9C8A0ACEBFB1FF49310F15815AE908AB221D7759856CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 014DD7C0, Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                            Download Yara Rule
                                            APIs
                                            • QueryFullProcessImageNameW.KERNEL32 ref: 014DD90C
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932252850.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_14d0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: FullImageNameProcessQuery
                                            • String ID:
                                            • API String ID: 3578328331-0
                                            • Opcode ID: 2ece5220a4a5c34dff5c20399a068abf5be264ce27fba75ed575e34b5614e043
                                            • Instruction ID: 338f108e3e77acdc3f4c2d9da0c8249d19362348ac335709617f15de64edc428
                                            • Opcode Fuzzy Hash: 2ece5220a4a5c34dff5c20399a068abf5be264ce27fba75ed575e34b5614e043
                                            • Instruction Fuzzy Hash: FD412531F083554FEF1A46E948B537B7ABA9B85210F09447BE91ADB3E2EB74CC058352
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 014DA323, Relevance: 1.6, APIs: 1, Instructions: 123threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThreadpoolIo.KERNEL32 ref: 014DA49E
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932252850.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_14d0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: CreateThreadpool
                                            • String ID:
                                            • API String ID: 3648228295-0
                                            • Opcode ID: b981e85f9737e59acb1eb5c69a95a42e055222f76488886cf5331945c211aa5b
                                            • Instruction ID: ee3c21586b8bf81d97bf7c50345df0264c3b564e45d9535ec142608020a7c5c3
                                            • Opcode Fuzzy Hash: b981e85f9737e59acb1eb5c69a95a42e055222f76488886cf5331945c211aa5b
                                            • Instruction Fuzzy Hash: 764190356042059FEF06AF68D8657AE3BA7FB85304F14802AFA098B361DB75DC168B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 014D5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014D51A2
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932252850.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_14d0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: e85fadc14a8b80c8f71c4717a8c343b83b973432487e7a6914970daf7ba26a8a
                                            • Instruction ID: e0400bc1ff206d5c71df2aeb2be9fd7f57b41eed8993efc2739153c8618ebe97
                                            • Opcode Fuzzy Hash: e85fadc14a8b80c8f71c4717a8c343b83b973432487e7a6914970daf7ba26a8a
                                            • Instruction Fuzzy Hash: 8B41B0B1D103099FDF14CFAAC894ADEBBB5FF48314F64812AE819AB210DB749945CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 014D7780, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 014D7F09
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932252850.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_14d0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: c5f2907c07e96e84ff0a133a978eba2892efa9f5d6b575c08ae813c8a155b5bb
                                            • Instruction ID: bcb20fd032074719aa1fbbd9ca2e097ea2fef51d02bc1d81d5f2fcfba429107e
                                            • Opcode Fuzzy Hash: c5f2907c07e96e84ff0a133a978eba2892efa9f5d6b575c08ae813c8a155b5bb
                                            • Instruction Fuzzy Hash: B9413BB4A00305CFCB14CF59C458AABBBF5FF88318F158499E519A7321D774A941CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 014DC109, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 014DC192
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932252850.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_14d0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: 09171966b0965e065e500b88f898f7055cf7d688a4b6e7cfd5762bc411889797
                                            • Instruction ID: c8d690c083d20f66ee9dc3ce520b004a10d78705180322f331a960908c9c6498
                                            • Opcode Fuzzy Hash: 09171966b0965e065e500b88f898f7055cf7d688a4b6e7cfd5762bc411889797
                                            • Instruction Fuzzy Hash: A931C0B58003498FEB21CFA9E59979EBFF4EB06304F14845ED484EB242C7785949CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 014D6B61, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014D6BEF
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932252850.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_14d0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 1bf36c2b9a1b6ee7a9159d526b6eb0193fcbff21532b5ee60f98c98e2a7e3b49
                                            • Instruction ID: 9c766d8fbd524082c5c48359cee60a92c3992610aa1754d1bf6f4fad56b167c0
                                            • Opcode Fuzzy Hash: 1bf36c2b9a1b6ee7a9159d526b6eb0193fcbff21532b5ee60f98c98e2a7e3b49
                                            • Instruction Fuzzy Hash: CE2112B59002499FDF10CFAAD484AEEBFF4EB48320F15841AE914A3310D374A955CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 014D6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014D6BEF
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932252850.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_14d0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 334c86a2550a5f7ecc50121375cce365f932579311a5a648fe36b11c011b77b7
                                            • Instruction ID: 61d51426689158493e8aedd391e0256faa818a2c9f77f63c8a9415b6714d468c
                                            • Opcode Fuzzy Hash: 334c86a2550a5f7ecc50121375cce365f932579311a5a648fe36b11c011b77b7
                                            • Instruction Fuzzy Hash: 9321E2B59002089FDB10CFAAD984ADEFBF8EB48324F15841AE914A3310D374A955CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 014DC118, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 014DC192
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932252850.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_14d0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: f5a12a9780d6e841cfd2e567dcee83c028569e2011a76f0fbf424d9ff859018b
                                            • Instruction ID: 3f05545dbc0789374d751de0a14b91092ec9a740a242920dde1358fb8892de21
                                            • Opcode Fuzzy Hash: f5a12a9780d6e841cfd2e567dcee83c028569e2011a76f0fbf424d9ff859018b
                                            • Instruction Fuzzy Hash: 1F11597190030A8FDF20DFA9C58979EBBF8EB49714F10882ED445A7641CB796905CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 014D32D8, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 014D4116
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932252850.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_14d0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 03a7880fb8be72dea00a118d75f98b716eb530cdd9a5e8479ed5a6d6a5fd4294
                                            • Instruction ID: cc320aeba7121f8bf67159b9ac205cba6014a47101a452844ee2bd60c2cc8fad
                                            • Opcode Fuzzy Hash: 03a7880fb8be72dea00a118d75f98b716eb530cdd9a5e8479ed5a6d6a5fd4294
                                            • Instruction Fuzzy Hash: 5911F0B19006498BDB10DFAAC448BDEFBF4EB89224F15842AD929A7710D374A546CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 014D40AC, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 014D4116
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932252850.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_14d0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: d378e370f8118e4ac6061e466e1d9c9bde3d50534372be2beb9b9e8f973a1f8f
                                            • Instruction ID: 06aa9539180aa8c8c51affa5b8cb9391e56fd0f62806c4b99903452a98b6012a
                                            • Opcode Fuzzy Hash: d378e370f8118e4ac6061e466e1d9c9bde3d50534372be2beb9b9e8f973a1f8f
                                            • Instruction Fuzzy Hash: 191102B6D006098FDB10CFAAC484BDEFBF4EF48214F15841AC529A7610C378A54ACFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD100F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1026
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: a3f909d7c2af8e3e70c0c0201f7be5416944b7bb3ca96546ef98ec59fb7d75ca
                                            • Instruction ID: fc93624d326b6780ec31a43fb79444b34fb0d2493beb90910789e1576cec0393
                                            • Opcode Fuzzy Hash: a3f909d7c2af8e3e70c0c0201f7be5416944b7bb3ca96546ef98ec59fb7d75ca
                                            • Instruction Fuzzy Hash: 4EE0ED36B0011ACBCF40FBB9D8595DD73F2BF98214B10806AD50AE7364DE34AD118B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD112F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1146
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: 69f2457ae8d1d3976fc03db1d0f51716743c1a0636c51ec129420d8b325fbb25
                                            • Instruction ID: a12266ca618ec38f91972b98c08be1ad6b1ec541cf11b6ff99150c91de838228
                                            • Opcode Fuzzy Hash: 69f2457ae8d1d3976fc03db1d0f51716743c1a0636c51ec129420d8b325fbb25
                                            • Instruction Fuzzy Hash: E5E0ED35B0011A9BCF44FBB9D8599DE73F2BF98215B108069D50AE7364DE34AD118BA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FDD25F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FDD276
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: 1fe872177eada36bb908e9c59b10f6acaa21ae74eaa35f41ad5807dd76372f49
                                            • Instruction ID: 7b08d763baf815300733041956770e8dcad39bd2a0cea9477a8b90c101db26f6
                                            • Opcode Fuzzy Hash: 1fe872177eada36bb908e9c59b10f6acaa21ae74eaa35f41ad5807dd76372f49
                                            • Instruction Fuzzy Hash: A2E06D35B0001A8BCF40FBB8D8549DD73F2BF98215B008069D50AE3364DE34AC118B51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD124F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1266
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: 2968c7c23b0183997a34cb8fcfd9d5d274ef8c1e07c5d0f0bc5ccbabe1250c1e
                                            • Instruction ID: 7818260d611d3040e4b7dfcfba9b0b4613f82d80f545960451e5985b69a955e5
                                            • Opcode Fuzzy Hash: 2968c7c23b0183997a34cb8fcfd9d5d274ef8c1e07c5d0f0bc5ccbabe1250c1e
                                            • Instruction Fuzzy Hash: C9E0ED35B100198BCF40FBB9D8599DD77F2BB98215B108069D50AE7364DE34AD118B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FDDBEF, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FDDC06
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: cfc07204cb28175f5e59810bbafd2b5a3d6d266d67bac3428d926281f384412d
                                            • Instruction ID: 3ae669b3d2a1624f28a77671bc594230781a6978a26e167cd368030e6d904e95
                                            • Opcode Fuzzy Hash: cfc07204cb28175f5e59810bbafd2b5a3d6d266d67bac3428d926281f384412d
                                            • Instruction Fuzzy Hash: E2E0ED35B104198FCF44FBB9D8559DDB3F2BB98215B10806AD50AE7364DE34AC118B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD136F, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD1386
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: c250cf0318d6f347dde5dd65ae7d3df8c04e0b688c2d6290e064f4ad3057f26d
                                            • Instruction ID: cf6a4ac74e4fe736bd05d9ef25b350a3589af079a7af6ebadb95a1e70222119e
                                            • Opcode Fuzzy Hash: c250cf0318d6f347dde5dd65ae7d3df8c04e0b688c2d6290e064f4ad3057f26d
                                            • Instruction Fuzzy Hash: 19E01235B000198BCF44FBB9D8549ED73F2FFD8215B148069D50AE7364DE34AC128B51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FDCCE7, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FDCCFE
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: a16b2998cd7970bbec7b03b9fb94dd9589eac440cc587a88298cbd30d5297b15
                                            • Instruction ID: 0be3e9f83677d8e26523bb7c0789a36a39b2f3f50d6383d1c49522247fe63d79
                                            • Opcode Fuzzy Hash: a16b2998cd7970bbec7b03b9fb94dd9589eac440cc587a88298cbd30d5297b15
                                            • Instruction Fuzzy Hash: D4E0ED36B1041A8BCF40FBB9D8549DDB7F2FB98218B10806AD50AE7364DE34AD128B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FD0677, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            • BasepGetExeArchType.KERNEL32 ref: 00FD068E
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.931634547.0000000000FD0000.00000040.00000010.sdmp, Offset: 00FD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_fd0000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID: ArchBasepType
                                            • String ID:
                                            • API String ID: 838778181-0
                                            • Opcode ID: 18a7bc4d5eddc7254f0b666d3a4760ef425c22d5c0328af7b5beb94faabd3496
                                            • Instruction ID: 5a9a4f73092d2a7cb94a6c391a44a5e0be3049a63453365d63807debfb1e2531
                                            • Opcode Fuzzy Hash: 18a7bc4d5eddc7254f0b666d3a4760ef425c22d5c0328af7b5beb94faabd3496
                                            • Instruction Fuzzy Hash: EBE0ED36B000198BCF40FBB9D8559ED77F2EB98214B14816AD50AE7364DE34AD118B51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0136D01C, Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932106712.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_136d000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e2fbe951208b28e2118cd65aae5d86fafb5b38e5530d9355181c2d7574cffe45
                                            • Instruction ID: b45916aab459dc8716d2363c977fe79b4e78f132f416a4b23da3654005682e03
                                            • Opcode Fuzzy Hash: e2fbe951208b28e2118cd65aae5d86fafb5b38e5530d9355181c2d7574cffe45
                                            • Instruction Fuzzy Hash: 6E213775604244DFCB15CF54D8C4B16BB6DFB88358F24C969D8894B34AC33BD857CAA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0136D017, Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.932106712.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_136d000_PO# 6100003560, items 00090 and 00100.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
                                            • Instruction ID: 47d5edb198b729416d5c5121869c62fa305a9f535ce7b1b0ee95121be51298a3
                                            • Opcode Fuzzy Hash: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
                                            • Instruction Fuzzy Hash: F0118E75504280DFDB12CF54D5C4B15BFB1FB84318F24C6AAD8494B65AC33AD45ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions