Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
22o5gJzlg6.exe

Overview

General Information

Sample Name:22o5gJzlg6.exe
Analysis ID:679116
MD5:1f85c12fcd3232c577e5e8cc07fbf1e1
SHA1:3741755f8a11638209821a3cd7c01104acac184d
SHA256:f229ed07a73bf6f353a8429a9842aeb6c2e35a47f3b353bce93cca550efbbee4
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Njrat
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • 22o5gJzlg6.exe (PID: 5776 cmdline: "C:\Users\user\Desktop\22o5gJzlg6.exe" MD5: 1F85C12FCD3232C577E5E8CC07FBF1E1)
  • cleanup

Malware Configuration

Threatname: Njrat

{"Host": "milla11.publicvm.com", "Port": "5050", "Mutex Name": "d84c416188f84fa099", "Network Seprator": "@!#&^%$", "Campaign ID": "NYAN CAT", "Version": "0.7NC"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: 22o5gJzlg6.exe PID: 5776JoeSecurity_NjratYara detected NjratJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    Timestamp:192.168.2.591.109.186.44976550502825564 08/05/22-09:39:04.872116
    SID:2825564
    Source Port:49765
    Destination Port:5050
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.591.109.186.44976550502825563 08/05/22-09:37:42.892210
    SID:2825563
    Source Port:49765
    Destination Port:5050
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.591.109.186.44976550502033132 08/05/22-09:37:42.798572
    SID:2033132
    Source Port:49765
    Destination Port:5050
    Protocol:TCP
    Classtype:A Network Trojan was detected

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: 22o5gJzlg6.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: 22o5gJzlg6.exeVirustotal: Detection: 73%Perma Link
    Source: 22o5gJzlg6.exeMetadefender: Detection: 42%Perma Link
    Source: 22o5gJzlg6.exeReversingLabs: Detection: 69%
    Yara detected Njrat
    Source: Yara matchFile source: Process Memory Space: 22o5gJzlg6.exe PID: 5776, type: MEMORYSTR
    Machine Learning detection for sample
    Source: 22o5gJzlg6.exeJoe Sandbox ML: detected
    Source: 0.0.22o5gJzlg6.exe.430000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
    Source: 0.2.22o5gJzlg6.exe.27abcb4.0.raw.unpackMalware Configuration Extractor: Njrat {"Host": "milla11.publicvm.com", "Port": "5050", "Mutex Name": "d84c416188f84fa099", "Network Seprator": "@!#&^%$", "Campaign ID": "NYAN CAT", "Version": "0.7NC"}
    Source: 22o5gJzlg6.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

    Networking

    barindex
    Snort IDS alert for network traffic
    Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49765 -> 91.109.186.4:5050
    Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.5:49765 -> 91.109.186.4:5050
    Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49765 -> 91.109.186.4:5050
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: milla11.publicvm.com
    Source: global trafficTCP traffic: 192.168.2.5:49765 -> 91.109.186.4:5050
    Source: 22o5gJzlg6.exe, 00000000.00000003.427915980.0000000005806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.428170416.0000000005806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
    Source: 22o5gJzlg6.exe, 00000000.00000003.428170416.0000000005806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com-e
    Source: 22o5gJzlg6.exe, 00000000.00000003.428170416.0000000005806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.comx
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435352161.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435564805.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435393505.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435434677.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html~
    Source: 22o5gJzlg6.exe, 00000000.00000003.432863626.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432261621.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432675327.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432828022.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432499311.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432899886.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432630198.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433019323.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432759453.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432283139.000000000580F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
    Source: 22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com1
    Source: 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com8
    Source: 22o5gJzlg6.exe, 00000000.00000003.432863626.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433296887.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433420738.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comC~
    Source: 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comE
    Source: 22o5gJzlg6.exe, 00000000.00000003.433296887.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433420738.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coma
    Source: 22o5gJzlg6.exe, 00000000.00000003.432261621.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coma-d
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: 22o5gJzlg6.exe, 00000000.00000003.432675327.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432828022.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432630198.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432759453.000000000580F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
    Source: 22o5gJzlg6.exe, 00000000.00000003.432499311.000000000580F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comva
    Source: 22o5gJzlg6.exe, 00000000.00000003.432863626.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com~
    Source: 22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.437770989.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: 22o5gJzlg6.exe, 00000000.00000003.438782064.00000000057F0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439519748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com4
    Source: 22o5gJzlg6.exe, 00000000.00000003.437693822.000000000580E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
    Source: 22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comT.TTF=
    Source: 22o5gJzlg6.exe, 00000000.00000003.437693822.000000000580E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comTTF
    Source: 22o5gJzlg6.exe, 00000000.00000003.437851582.000000000580E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
    Source: 22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439642692.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
    Source: 22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439642692.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
    Source: 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438174770.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd_
    Source: 22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439519748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439416035.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
    Source: 22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438174770.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessedI
    Source: 22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439519748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439642692.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitu_
    Source: 22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
    Source: 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrsiv&
    Source: 22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiefl
    Source: 22o5gJzlg6.exe, 00000000.00000002.699727274.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446329043.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446126364.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446267888.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446363357.0000000005810000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comt
    Source: 22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtt
    Source: 22o5gJzlg6.exe, 00000000.00000002.699727274.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446329043.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446126364.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446267888.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446363357.0000000005810000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comuea
    Source: 22o5gJzlg6.exe, 00000000.00000003.437851582.000000000580E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comz
    Source: 22o5gJzlg6.exe, 00000000.00000003.427915980.0000000005806000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
    Source: 22o5gJzlg6.exe, 00000000.00000003.431016693.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431510900.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: 22o5gJzlg6.exe, 00000000.00000003.431386511.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431226577.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431719100.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431510900.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
    Source: 22o5gJzlg6.exe, 00000000.00000003.430476742.0000000005806000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430516625.0000000005806000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/;
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: 22o5gJzlg6.exe, 00000000.00000003.431148925.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431016693.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
    Source: 22o5gJzlg6.exe, 00000000.00000003.430863609.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnCTI
    Source: 22o5gJzlg6.exe, 00000000.00000003.431386511.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431226577.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431148925.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431016693.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431510900.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnQ
    Source: 22o5gJzlg6.exe, 00000000.00000003.430863609.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnRIN
    Source: 22o5gJzlg6.exe, 00000000.00000003.430863609.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnTFu
    Source: 22o5gJzlg6.exe, 00000000.00000003.442920288.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442005981.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442520590.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443542427.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442655517.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443031431.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442962847.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442741235.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443220777.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442128327.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443153111.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443450897.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443332430.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: 22o5gJzlg6.exe, 00000000.00000003.442520590.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442128327.0000000005812000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/l
    Source: 22o5gJzlg6.exe, 00000000.00000003.442056543.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442655517.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442501394.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: 22o5gJzlg6.exe, 00000000.00000003.430244973.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: 22o5gJzlg6.exe, 00000000.00000003.435442221.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436179663.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435352161.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435573925.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435635608.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436098101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435840977.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436041454.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435402188.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&
    Source: 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
    Source: 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
    Source: 22o5gJzlg6.exe, 00000000.00000003.434060485.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434026409.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
    Source: 22o5gJzlg6.exe, 00000000.00000003.434060485.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434026409.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=
    Source: 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
    Source: 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
    Source: 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435402188.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
    Source: 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/iv
    Source: 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436098101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435840977.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436041454.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435402188.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
    Source: 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/4
    Source: 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
    Source: 22o5gJzlg6.exe, 00000000.00000003.434060485.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434026409.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/kurs
    Source: 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
    Source: 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
    Source: 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sv-s
    Source: 22o5gJzlg6.exe, 00000000.00000003.445348164.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.445413832.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.441424361.00000000057EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
    Source: 22o5gJzlg6.exe, 00000000.00000003.443332430.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.Y
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
    Source: 22o5gJzlg6.exe, 00000000.00000003.435143246.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435173659.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com8
    Source: 22o5gJzlg6.exe, 00000000.00000003.430432412.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430522948.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430486289.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430185630.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430244973.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430578626.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: 22o5gJzlg6.exe, 00000000.00000003.430432412.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430486289.000000000580D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kra
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
    Source: 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432261621.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn.i
    Source: 22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432499311.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432283139.000000000580F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
    Source: 22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432283139.000000000580F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnva
    Source: unknownDNS traffic detected: queries for: milla11.publicvm.com

    E-Banking Fraud

    barindex
    Yara detected Njrat
    Source: Yara matchFile source: Process Memory Space: 22o5gJzlg6.exe PID: 5776, type: MEMORYSTR
    Source: 22o5gJzlg6.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: 22o5gJzlg6.exe, 00000000.00000002.696319010.0000000002761000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenametojen.exe4 vs 22o5gJzlg6.exe
    Source: 22o5gJzlg6.exe, 00000000.00000000.423127249.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGoogle webmaster.exeD vs 22o5gJzlg6.exe
    Source: 22o5gJzlg6.exeBinary or memory string: OriginalFilenameGoogle webmaster.exeD vs 22o5gJzlg6.exe
    Source: 22o5gJzlg6.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeCode function: 0_2_00E2D0300_2_00E2D030
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeCode function: 0_2_072912700_2_07291270
    Source: 22o5gJzlg6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: 22o5gJzlg6.exeVirustotal: Detection: 73%
    Source: 22o5gJzlg6.exeMetadefender: Detection: 42%
    Source: 22o5gJzlg6.exeReversingLabs: Detection: 69%
    Source: 22o5gJzlg6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 22o5gJzlg6.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeMutant created: \Sessions\1\BaseNamedObjects\d84c416188f84fa099
    Source: classification engineClassification label: mal80.troj.winEXE@1/0@1/1
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: 22o5gJzlg6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeCode function: 0_2_00E2274F push ds; iretd 0_2_00E2275A
    Source: initial sampleStatic PE information: section name: .text entropy: 7.472442868082026
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeWindow / User API: threadDelayed 4996Jump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exe TID: 4916Thread sleep count: 4996 > 30Jump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeMemory allocated: page read and write | page guardJump to behavior
    Source: 22o5gJzlg6.exe, 00000000.00000002.697124211.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.696802851.00000000027B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Users\user\Desktop\22o5gJzlg6.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\22o5gJzlg6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected Njrat
    Source: Yara matchFile source: Process Memory Space: 22o5gJzlg6.exe PID: 5776, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected Njrat
    Source: Yara matchFile source: Process Memory Space: 22o5gJzlg6.exe PID: 5776, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath Interception1
    Process Injection    		1
    Virtualization/Sandbox Evasion    		OS Credential Dumping1
    Virtualization/Sandbox Evasion    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Non-Standard Port    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
    Process Injection    		Security Account Manager1
    Application Window Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Non-Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
    Obfuscated Files or Information    		NTDS1
    Remote System Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer11
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
    Software Packing    		LSA Secrets12
    System Information Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    22o5gJzlg6.exe73%VirustotalBrowse
    22o5gJzlg6.exe43%MetadefenderBrowse
    22o5gJzlg6.exe69%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
    22o5gJzlg6.exe100%AviraTR/Dropper.MSIL.Gen
    22o5gJzlg6.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    0.0.22o5gJzlg6.exe.430000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.founder.com.cn/cnQ0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.carterandcone.comva0%URL Reputationsafe
    http://www.founder.com.cn/cnCTI0%Avira URL Cloudsafe
    http://www.carterandcone.com10%URL Reputationsafe
    http://www.founder.com.cn/cnRIN0%Avira URL Cloudsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.fontbureau.comuea0%Avira URL Cloudsafe
    http://www.zhongyicts.com.cn.i0%Avira URL Cloudsafe
    http://www.fontbureau.comTTF0%URL Reputationsafe
    http://www.fontbureau.comessed0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/40%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/kurs0%Avira URL Cloudsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.carterandcone.com0%URL Reputationsafe
    http://www.founder.com.cn/cnC0%URL Reputationsafe
    http://www.monotype.Y0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/jp/=0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/l0%Avira URL Cloudsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.fontbureau.comessedI0%Avira URL Cloudsafe
    http://www.carterandcone.comE0%URL Reputationsafe
    http://fontfabrik.comx0%Avira URL Cloudsafe
    http://www.founder.com.cn/cnTFu0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
    http://www.carterandcone.com80%URL Reputationsafe
    http://www.fontbureau.com40%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
    http://www.fontbureau.comrsiv&0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/(0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/&0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.carterandcone.como.0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.carterandcone.comC~0%Avira URL Cloudsafe
    http://www.founder.com.cn/cn/;0%Avira URL Cloudsafe
    http://www.carterandcone.coma0%URL Reputationsafe
    http://www.galapagosdesign.com/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe
    http://www.fontbureau.comtt0%Avira URL Cloudsafe
    http://www.fontbureau.comd_0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.fontbureau.coma0%URL Reputationsafe
    http://www.carterandcone.coma-d0%URL Reputationsafe
    http://www.fontbureau.comd0%URL Reputationsafe
    http://www.fontbureau.comsiefl0%Avira URL Cloudsafe
    http://www.sakkal.com80%Avira URL Cloudsafe
    http://www.ascendercorp.com/typedesigners.html~0%Avira URL Cloudsafe
    http://www.sandoll.co.kra0%Avira URL Cloudsafe
    http://en.w0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/=0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.founder.com.cn/cn/0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://fontfabrik.com-e0%Avira URL Cloudsafe
    http://www.zhongyicts.com.cnva0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
    http://www.monotype.0%URL Reputationsafe
    http://www.fontbureau.comt0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/iv0%Avira URL Cloudsafe
    http://www.carterandcone.com~0%Avira URL Cloudsafe
    http://www.fontbureau.comm0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/l0%URL Reputationsafe
    http://www.fontbureau.comz0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/sv-s0%Avira URL Cloudsafe
    http://www.zhongyicts.com.cno.0%URL Reputationsafe
    http://www.fontbureau.comals0%URL Reputationsafe
    http://www.fontbureau.comitu_0%Avira URL Cloudsafe
    http://www.fontbureau.comT.TTF=0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    milla11.publicvm.com
    		91.109.186.4
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      milla11.publicvm.comfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.com/designersG22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.founder.com.cn/cnQ22o5gJzlg6.exe, 00000000.00000003.431386511.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431226577.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431148925.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431016693.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431510900.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers/?22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bThe22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.carterandcone.comva22o5gJzlg6.exe, 00000000.00000003.432499311.000000000580F000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.founder.com.cn/cnCTI22o5gJzlg6.exe, 00000000.00000003.430863609.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.carterandcone.com122o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.founder.com.cn/cnRIN22o5gJzlg6.exe, 00000000.00000003.430863609.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.tiro.com22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.comuea22o5gJzlg6.exe, 00000000.00000002.699727274.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446329043.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446126364.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446267888.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446363357.0000000005810000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.zhongyicts.com.cn.i22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.comTTF22o5gJzlg6.exe, 00000000.00000003.437693822.000000000580E000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comessed22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439519748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439416035.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/jp/422o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/kurs22o5gJzlg6.exe, 00000000.00000003.434060485.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434026409.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.goodfont.co.kr22o5gJzlg6.exe, 00000000.00000003.430244973.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.com22o5gJzlg6.exe, 00000000.00000003.432863626.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432261621.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432675327.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432828022.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432499311.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432899886.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432630198.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433019323.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432759453.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432283139.000000000580F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cnC22o5gJzlg6.exe, 00000000.00000003.431148925.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431016693.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.monotype.Y22o5gJzlg6.exe, 00000000.00000003.443332430.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/jp/=22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.com22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.typography.netD22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cThe22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/l22o5gJzlg6.exe, 00000000.00000003.442520590.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442128327.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htm22o5gJzlg6.exe, 00000000.00000003.442056543.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442655517.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442501394.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://fontfabrik.com22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.428170416.0000000005806000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comessedI22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438174770.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.carterandcone.comE22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://fontfabrik.comx22o5gJzlg6.exe, 00000000.00000003.428170416.0000000005806000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.founder.com.cn/cnTFu22o5gJzlg6.exe, 00000000.00000003.430863609.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/422o5gJzlg6.exe, 00000000.00000003.434060485.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434026409.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.com822o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com422o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439519748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp//22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/DPlease22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/Y022o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435402188.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comrsiv&22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.jiyu-kobo.co.jp/(22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fonts.com22o5gJzlg6.exe, 00000000.00000003.427915980.0000000005806000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.sandoll.co.kr22o5gJzlg6.exe, 00000000.00000003.430432412.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430522948.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430486289.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430185630.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430244973.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430578626.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/&22o5gJzlg6.exe, 00000000.00000003.435442221.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436179663.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435352161.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435573925.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435635608.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436098101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435840977.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436041454.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435402188.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.urwpp.deDPlease22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.zhongyicts.com.cn22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432261621.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.como.22o5gJzlg6.exe, 00000000.00000003.432675327.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432828022.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432630198.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432759453.000000000580F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sakkal.com22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.comC~22o5gJzlg6.exe, 00000000.00000003.432863626.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433296887.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433420738.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.founder.com.cn/cn/;22o5gJzlg6.exe, 00000000.00000003.430476742.0000000005806000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430516625.0000000005806000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.carterandcone.coma22o5gJzlg6.exe, 00000000.00000003.433296887.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433420738.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.022o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.437770989.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.galapagosdesign.com/22o5gJzlg6.exe, 00000000.00000003.442920288.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442005981.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442520590.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443542427.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442655517.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443031431.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442962847.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442741235.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443220777.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.442128327.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443153111.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443450897.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.443332430.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/X22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comF22o5gJzlg6.exe, 00000000.00000003.437693822.000000000580E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/V22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comtt22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comd_22o5gJzlg6.exe, 00000000.00000003.438683013.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438563728.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438487330.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438225069.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438377965.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438456044.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438174770.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.jiyu-kobo.co.jp/jp/22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436098101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435840977.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.436041454.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435402188.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.coma22o5gJzlg6.exe, 00000000.00000003.437851582.000000000580E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.coma-d22o5gJzlg6.exe, 00000000.00000003.432261621.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comd22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439642692.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comsiefl22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sakkal.com822o5gJzlg6.exe, 00000000.00000003.435143246.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435173659.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.ascendercorp.com/typedesigners.html~22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435352161.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435564805.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435393505.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435434677.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sandoll.co.kra22o5gJzlg6.exe, 00000000.00000003.430432412.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.430486289.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://en.w22o5gJzlg6.exe, 00000000.00000003.427915980.0000000005806000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/=22o5gJzlg6.exe, 00000000.00000003.434060485.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434026409.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.coml22o5gJzlg6.exe, 00000000.00000002.699831067.00000000069F2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/22o5gJzlg6.exe, 00000000.00000003.431386511.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431226577.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431719100.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431510900.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlN22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn22o5gJzlg6.exe, 00000000.00000003.431016693.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.431510900.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.com-e22o5gJzlg6.exe, 00000000.00000003.428170416.0000000005806000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-jones.html22o5gJzlg6.exe, 00000000.00000003.438782064.00000000057F0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.zhongyicts.com.cnva22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432283139.000000000580F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/r22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.monotype.22o5gJzlg6.exe, 00000000.00000003.445348164.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.445413832.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.441424361.00000000057EE000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comt22o5gJzlg6.exe, 00000000.00000002.699727274.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446329043.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446126364.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446267888.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.446363357.0000000005810000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/iv22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.carterandcone.com~22o5gJzlg6.exe, 00000000.00000003.432863626.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.433244896.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432997847.0000000005808000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.fontbureau.comm22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439187961.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439221383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439279849.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/l22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comz22o5gJzlg6.exe, 00000000.00000003.437851582.000000000580E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/sv-s22o5gJzlg6.exe, 00000000.00000003.435183566.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434705101.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435226866.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435154857.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434492066.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434965433.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434616172.0000000005810000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434929567.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434860772.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.435275521.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.434381509.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zhongyicts.com.cno.22o5gJzlg6.exe, 00000000.00000003.432436607.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432071419.0000000005808000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432499311.000000000580F000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.432283139.000000000580F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers822o5gJzlg6.exe, 00000000.00000002.700212667.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comals22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439642692.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comitu_22o5gJzlg6.exe, 00000000.00000003.440146087.0000000005811000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440822748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439609629.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440351183.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439519748.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440850654.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440448532.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.439642692.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440257383.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440546293.0000000005812000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.440646134.0000000005812000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.fontbureau.comT.TTF=22o5gJzlg6.exe, 00000000.00000003.439066250.000000000580E000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438952936.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438892084.000000000580D000.00000004.00000800.00020000.00000000.sdmp, 22o5gJzlg6.exe, 00000000.00000003.438763045.000000000580D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            91.109.186.4
                            		milla11.publicvm.comFrance
                            		29075IELOIELOMainNetworkFRfalse

                            General Information

                            Joe Sandbox Version:35.0.0 Citrine
                            Analysis ID:679116
                            Start date and time: 05/08/202209:36:112022-08-05 09:36:11 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 6m 11s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:22o5gJzlg6.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:18
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal80.troj.winEXE@1/0@1/1
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 84
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Adjust boot time
                            • Enable AMSI

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 23.211.6.115
                            • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, prod-azurecdn-akamai-iris.azureedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, licensing.mp.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                            • Execution Graph export aborted for target 22o5gJzlg6.exe, PID 5776 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            91.109.186.4cNFCkmp5vz.exeGet hashmaliciousBrowse
                              e3CtV2Nw.exeGet hashmaliciousBrowse

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                IELOIELOMainNetworkFRFB5AE07416C69F39688E9A1CAF6878E1DF8EBFA0F99F9.exeGet hashmaliciousBrowse
                                • 91.109.184.3
                                D3554AFBCFFDC707DC35F7E430CBCEEC944CB23AFF104.exeGet hashmaliciousBrowse
                                • 91.109.184.3
                                pCwgRz0v8U.exeGet hashmaliciousBrowse
                                • 91.109.184.3
                                U4C8bqpnwf.exeGet hashmaliciousBrowse
                                • 91.109.178.9
                                bDJV.exeGet hashmaliciousBrowse
                                • 141.255.147.148
                                hZGKaOqz6B.exeGet hashmaliciousBrowse
                                • 91.109.190.11
                                uusI2g59ag.exeGet hashmaliciousBrowse
                                • 91.109.178.9
                                B0CB9861F7FCEFD94E85DF0D51A169104AEAEB160A172.exeGet hashmaliciousBrowse
                                • 91.109.180.5
                                xNAFKe2sw1.exeGet hashmaliciousBrowse
                                • 91.109.178.5
                                A9BD390ABC09FE11347FBFD4C276936007ACAB073456E.exeGet hashmaliciousBrowse
                                • 91.109.180.5
                                HOMMtH6O3F.exeGet hashmaliciousBrowse
                                • 91.109.176.3
                                A4D00448FA39EC93A43F979B7C2BEFA1719D5816FB524.exeGet hashmaliciousBrowse
                                • 91.109.190.8
                                f.batGet hashmaliciousBrowse
                                • 141.255.153.178
                                vuBdMAfc3l.exeGet hashmaliciousBrowse
                                • 141.255.159.91
                                cYzxzmjENe.exeGet hashmaliciousBrowse
                                • 141.255.144.211
                                animal.htaGet hashmaliciousBrowse
                                • 141.255.153.178
                                A2B05134CDAE163816DAA17803B22DCF021C055555256.exeGet hashmaliciousBrowse
                                • 141.255.157.41
                                869D01E807BA1BF96B688BA6C58D4047E552BE4D5F4FE.exeGet hashmaliciousBrowse
                                • 141.255.151.253
                                EBE23C279471C00CB0C3ED550AE69450A59C8CDF3B1E0.exeGet hashmaliciousBrowse
                                • 91.109.188.15
                                async.ps1Get hashmaliciousBrowse
                                • 141.255.153.178

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.014106369522473
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:22o5gJzlg6.exe
                                File size:772608
                                MD5:1f85c12fcd3232c577e5e8cc07fbf1e1
                                SHA1:3741755f8a11638209821a3cd7c01104acac184d
                                SHA256:f229ed07a73bf6f353a8429a9842aeb6c2e35a47f3b353bce93cca550efbbee4
                                SHA512:9a991ea8dd19bff6a7a83d546b2f4d958e849a17ef4cbc62c2faaf3e9588fc896c7cd48fe76cfa34a2efa66327002fb412201d32e74a5c683c30ee1fe1138667
                                SSDEEP:12288:WqShIfQIKMR4LClwugCEzE3qA2nv1gfckf:4hIYIKMCigCEzE312nKck
                                TLSH:4DF4920B5D78868AE1FA3530C6F670B3A273970BDD098A35697DE0C37E29DE904E7116
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..b.............................3... ...@....@.. ....................... .............................................

                                File Icon

                                Icon Hash:f8c6e86968b0cc70

                                Static PE Info

                                General

                                Entrypoint:0x4933ee
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                DLL Characteristics:
                                Time Stamp:0x62E8FC24 [Tue Aug 2 10:27:48 2022 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x933940x57.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x960000x2b198.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x913f40x91400False0.7046612790447504data7.472442868082026IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .reloc0x940000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                .rsrc0x960000x2b1980x2b200False0.17342617753623188data3.676783822364216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0x962b00x31c8PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                RT_ICON0x994780x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                RT_ICON0xa9ca00x94a8data
                                RT_ICON0xb31480x5488data
                                RT_ICON0xb85d00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 4282318848
                                RT_ICON0xbc7f80x25a8data
                                RT_ICON0xbeda00x10a8data
                                RT_ICON0xbfe480x988data
                                RT_ICON0xc07d00x468GLS_BINARY_LSB_FIRST
                                RT_GROUP_ICON0xc0c380x84data
                                RT_VERSION0xc0cbc0x2f0SysEx File - IDP
                                RT_MANIFEST0xc0fac0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                192.168.2.591.109.186.44976550502825564 08/05/22-09:39:04.872116TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)497655050192.168.2.591.109.186.4
                                192.168.2.591.109.186.44976550502825563 08/05/22-09:37:42.892210TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)497655050192.168.2.591.109.186.4
                                192.168.2.591.109.186.44976550502033132 08/05/22-09:37:42.798572TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)497655050192.168.2.591.109.186.4

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 5, 2022 09:37:41.568679094 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:37:41.630243063 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:37:41.630374908 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:37:42.798572063 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:37:42.892086983 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:37:42.892210007 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:37:42.985652924 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:37:47.422403097 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:37:47.517601013 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:37:47.720798969 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:37:47.723356962 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:37:47.818135023 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:38:05.765523911 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:38:05.766052961 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:38:05.856589079 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:38:23.812676907 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:38:23.814517975 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:38:23.905464888 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:38:41.821995974 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:38:41.822762012 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:38:41.916249990 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:38:56.442615032 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:38:56.534531116 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:38:59.864129066 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:38:59.864787102 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:38:59.956043959 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:39:04.872116089 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:39:04.967768908 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:39:17.911744118 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:39:17.942150116 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:39:18.130026102 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:39:35.925879955 CEST50504976591.109.186.4192.168.2.5
                                Aug 5, 2022 09:39:35.926232100 CEST497655050192.168.2.591.109.186.4
                                Aug 5, 2022 09:39:36.021418095 CEST50504976591.109.186.4192.168.2.5

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 5, 2022 09:37:41.422647953 CEST6135653192.168.2.58.8.8.8
                                Aug 5, 2022 09:37:41.550160885 CEST53613568.8.8.8192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Aug 5, 2022 09:37:41.422647953 CEST192.168.2.58.8.8.80x2963Standard query (0)milla11.publicvm.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Aug 5, 2022 09:37:41.550160885 CEST8.8.8.8192.168.2.50x2963No error (0)milla11.publicvm.com91.109.186.4A (IP address)IN (0x0001)

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:09:37:20
                                Start date:05/08/2022
                                Path:C:\Users\user\Desktop\22o5gJzlg6.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\22o5gJzlg6.exe"
                                Imagebase:0x430000
                                File size:772608 bytes
                                MD5 hash:1F85C12FCD3232C577E5E8CC07FBF1E1
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Reputation:low

                                Disassembly

                                Reset < >

                                  Executed Functions

                                  Function 07291270 Relevance: 1.6, Strings: 1, Instructions: 341COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: <vl
                                  • API String ID: 0-2439421909
                                  • Opcode ID: 8ccc26698f03ff72e323e25d625f343b42bc06c4bef07aa05b31450040389ccb
                                  • Instruction ID: 906747324f681dabe26c7a584adcaaa851f7cdc93bb21db7f00fdaab73a21804
                                  • Opcode Fuzzy Hash: 8ccc26698f03ff72e323e25d625f343b42bc06c4bef07aa05b31450040389ccb
                                  • Instruction Fuzzy Hash: BCD17FB4E1020ACFCF14DFA9C484AAEBBF1FF48314F19856AE415AB351DB34A945CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2D030 Relevance: .2, Instructions: 244COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e0c7a19dd3c1253535ef3b8ad38a50b44f8fa7835bfc5fe6cb7ab2cbb33d5da5
                                  • Instruction ID: 5abb553083ede38ab2816a9f9978bc5ba47fbe690a8a3bd101a75a523df1ef77
                                  • Opcode Fuzzy Hash: e0c7a19dd3c1253535ef3b8ad38a50b44f8fa7835bfc5fe6cb7ab2cbb33d5da5
                                  • Instruction Fuzzy Hash: BE91E374E042188FDF04DFA9C994AEEBBF2EF89314F14812AE505BB350DB749946CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07290A20 Relevance: 2.7, Strings: 2, Instructions: 243COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: <vl$ <vl
                                  • API String ID: 0-3262591746
                                  • Opcode ID: a3d39cbe5d6b0fcb336ba5bc6fb06637ee0b29021c859d471238eddbdccb66f6
                                  • Instruction ID: 75b66d4d3f0bcc9d77df5b0f3b9ca1a4a1cb9448136ad3206a9ab82080053697
                                  • Opcode Fuzzy Hash: a3d39cbe5d6b0fcb336ba5bc6fb06637ee0b29021c859d471238eddbdccb66f6
                                  • Instruction Fuzzy Hash: 2591E671A142098FDF14DBA4C854AADBBF2EF89324F1844A9D505EB361CB35EC45CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2D3E8 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $%rl$$%rl
                                  • API String ID: 0-4040795825
                                  • Opcode ID: 2658ac456218cbd1734c56058ed4013dc392c80db86a32a47fbb213461b13e89
                                  • Instruction ID: 2f90edee619df797d9b8dd09f991187e0dfd999ee54b5d014b833252df122101
                                  • Opcode Fuzzy Hash: 2658ac456218cbd1734c56058ed4013dc392c80db86a32a47fbb213461b13e89
                                  • Instruction Fuzzy Hash: 322149317082008FC721EF38D5188ABBBF6EF8531471984AAD105DB761EF71EC058B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07291858 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: <vl
                                  • API String ID: 0-2439421909
                                  • Opcode ID: d0227f378bbe6525097d1219822d835d89b49f3a7ef6b90f43313d16cdb9090c
                                  • Instruction ID: cb118f56c6c3fd81f323fbcad5b70ca84489cc0a67a2e62a4485fae63011a280
                                  • Opcode Fuzzy Hash: d0227f378bbe6525097d1219822d835d89b49f3a7ef6b90f43313d16cdb9090c
                                  • Instruction Fuzzy Hash: E14126B13042069FDB04AB69DC50A6FB7EBEFC5254B15843AE605DB780CF36EC1587A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 072916C0 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: <vl
                                  • API String ID: 0-2439421909
                                  • Opcode ID: f06515e45a77c8883b476314494704d593241899005e4d8714475629eda7fe63
                                  • Instruction ID: 9c6f61d19e82622ba71ea992cd4cebd5110b3214550ec309e4dddfc2f98fcf79
                                  • Opcode Fuzzy Hash: f06515e45a77c8883b476314494704d593241899005e4d8714475629eda7fe63
                                  • Instruction Fuzzy Hash: AF112774B181069FCB08EB65D454ABDBBA6AFC2710F0981AEE4068B781CF34DC92C781
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E25853 Relevance: .7, Instructions: 697COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 48e8a21be81b756af53035513219eb8ff941e66d82c66189f4231b27ac31f393
                                  • Instruction ID: df291806acd8d2ec519fc98ad9c3cbe8ad6c6381076930e01a4d8c4d8822353b
                                  • Opcode Fuzzy Hash: 48e8a21be81b756af53035513219eb8ff941e66d82c66189f4231b27ac31f393
                                  • Instruction Fuzzy Hash: B9728E70D0420A8FCB54FF68E965A9D77F1FF86304F4088A9D006AB664EB346E94CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E25870 Relevance: .7, Instructions: 685COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 703bc9a96e0bfee450fd05fffe63a69b1892f2477ffd1c1c1ff4c03bfc5eb7ed
                                  • Instruction ID: 04a8202a91f834f6678c4a5b029a4bfeea741485f042a6076d8b8bc0ed6abd28
                                  • Opcode Fuzzy Hash: 703bc9a96e0bfee450fd05fffe63a69b1892f2477ffd1c1c1ff4c03bfc5eb7ed
                                  • Instruction Fuzzy Hash: C2728E70D0420A8FCB54FF68E965A9D77F1FF86304F4088A9D006AB664EB346E94CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E26AD8 Relevance: .2, Instructions: 234COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2bd1f7b1d7ef6382ba50176dda491ac98314cfb507742e5e9c69235ea4b30eab
                                  • Instruction ID: 054a37d31eebb9361ca9b51dbf665a5cee2f72b93eb259467faf84678e6b3dc8
                                  • Opcode Fuzzy Hash: 2bd1f7b1d7ef6382ba50176dda491ac98314cfb507742e5e9c69235ea4b30eab
                                  • Instruction Fuzzy Hash: B2A19731A00605CFCB04EF68D48499DBBF1FF89314B1596A9E505AB366EB70ED85CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E24148 Relevance: .2, Instructions: 230COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 807ea4544fe111a881d47ca436ccfbeb6e06336bdeb5a0de3a0b315ae384b669
                                  • Instruction ID: 0bf699792225362d88e3ab4aaa89bea777a5955a8e69b66ee121571b95b6c0d4
                                  • Opcode Fuzzy Hash: 807ea4544fe111a881d47ca436ccfbeb6e06336bdeb5a0de3a0b315ae384b669
                                  • Instruction Fuzzy Hash: 6EA18631A00615CFCB04EF69D48499DBBF1FF89314B1196A9E509AB366EB70ED85CF80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2CFDC Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 38111971dcab088b1a9f87488bf45f81d7d270d8c350d326fc9143a760097753
                                  • Instruction ID: e6f49705e7b8b4e3a4b84de6149a800c97ac4b2bbcf20ef3a0e93c4ecc8047db
                                  • Opcode Fuzzy Hash: 38111971dcab088b1a9f87488bf45f81d7d270d8c350d326fc9143a760097753
                                  • Instruction Fuzzy Hash: 7D5191B1E042559FCF14DFA9D908AAFBBF5EF98314F14842AE515E3340EB749901CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2DAE4 Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 555788381717b99d53eb4018560004bdd20b03d0c30784afad925f40fcbfa66c
                                  • Instruction ID: 6bb2ce03a853f195aa975e4a583b48e2c12e80093b11614ea163ce3d0f7abfcd
                                  • Opcode Fuzzy Hash: 555788381717b99d53eb4018560004bdd20b03d0c30784afad925f40fcbfa66c
                                  • Instruction Fuzzy Hash: CA41DF70E01228EFCB18DFA4E9545AEBBB2FF85304F1585AAE441B7351DB309C55CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E26F48 Relevance: .2, Instructions: 151COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 11469492e33595f90785313ddc079a04f3a61f70e3b6ce5295e65e14b8231786
                                  • Instruction ID: 1e3c6c55ebf233fccbf8e02caf3df124c42d712879f742454035890b448f1d9f
                                  • Opcode Fuzzy Hash: 11469492e33595f90785313ddc079a04f3a61f70e3b6ce5295e65e14b8231786
                                  • Instruction Fuzzy Hash: 78518230B092A98BEF01AB71E9587EE7BF5EF5534DF005458D842A7281DBBD8C48CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07290007 Relevance: .2, Instructions: 151COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 62e029f80c31c809edf64965a56810e915c4e47fe0db1121893101ce1601bcb8
                                  • Instruction ID: d51189d2c97c8d6abc597d76a910072a14b5041f9b5b41b41fb3030903ada841
                                  • Opcode Fuzzy Hash: 62e029f80c31c809edf64965a56810e915c4e47fe0db1121893101ce1601bcb8
                                  • Instruction Fuzzy Hash: BA51877091034ADFCB65DF64D554A99BFB2FF49310F1884AEE8469B3A1DB369882CF10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07293020 Relevance: .1, Instructions: 146COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de13fe615a454fb13619bd3b130643b1667aa7dfdbc987d215229da6f81b519c
                                  • Instruction ID: 375624e5ad2a4919c6350431c219d33856bcb21144f48ecb411d216a17896096
                                  • Opcode Fuzzy Hash: de13fe615a454fb13619bd3b130643b1667aa7dfdbc987d215229da6f81b519c
                                  • Instruction Fuzzy Hash: AF515EB5E10248DFCB04DFA8C985BDDBBF2AF88314F148169E515AB395CB34AD06CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07290040 Relevance: .1, Instructions: 134COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1b16f53d97c03e4b96d5b4f2f0591ffc3d53d66e1bece10336a5ac8c9a3a1d9c
                                  • Instruction ID: 338fa20eb5dacd161ee4d1d2db535ab123250091bab004805910b89789fcff6d
                                  • Opcode Fuzzy Hash: 1b16f53d97c03e4b96d5b4f2f0591ffc3d53d66e1bece10336a5ac8c9a3a1d9c
                                  • Instruction Fuzzy Hash: 19512970A10249DFDB68DF69D554A9DBBF2FF48315F14846DE80AA7361DB32A842CF10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E295B0 Relevance: .1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ade30dd8298a3d2dcdc22f7f5e229821a1556965c67aa431be049332135958b5
                                  • Instruction ID: 2c544cc45f2a6d56ea804b8d2fded04bfeb8a471305a6d5710d12538a3f95f1f
                                  • Opcode Fuzzy Hash: ade30dd8298a3d2dcdc22f7f5e229821a1556965c67aa431be049332135958b5
                                  • Instruction Fuzzy Hash: 12419E31E002248FDB29EFB4E1552EDBAF1EF88318F147429D501B7386CB359885CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07293660 Relevance: .1, Instructions: 110COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f1170dc94d0c17dd59143200932c6463474f4995c2be3fc2ae7550f29093524d
                                  • Instruction ID: fb867244874fc5691ed3dba283fc4135c25ad553a4f6ec317bf22e114f1185b4
                                  • Opcode Fuzzy Hash: f1170dc94d0c17dd59143200932c6463474f4995c2be3fc2ae7550f29093524d
                                  • Instruction Fuzzy Hash: 4341E374A142098FCB04DFA4C8505EDFBF2FF89314F1482A9D905AB385DB34AE46CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E27C64 Relevance: .1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97ed83aff5f9a9cdd8f8721f0f5b075790a14b46de25f903f4ffa3514e2ae36b
                                  • Instruction ID: 49130b638a6ac7f442faa335a3d945086006b439d8cf91b5ccac03992f745e15
                                  • Opcode Fuzzy Hash: 97ed83aff5f9a9cdd8f8721f0f5b075790a14b46de25f903f4ffa3514e2ae36b
                                  • Instruction Fuzzy Hash: 2C3180357011208FCB24EB79E9446A977F6EF89729B15016AE51ADB3A0DB35DC01CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 072934B0 Relevance: .1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6788d1abe2dd4eae267fde045371837a96e92aa249d3fff0f56088ce003aa7af
                                  • Instruction ID: 7a3f6763d05ecc3e9230d10a8281cb3f9ff75f789838ac2988f176fb7d22c22b
                                  • Opcode Fuzzy Hash: 6788d1abe2dd4eae267fde045371837a96e92aa249d3fff0f56088ce003aa7af
                                  • Instruction Fuzzy Hash: 12416DB4B20104AFDB14DB69D995B6EBBF6AF8C624F158069E505DB7A2CB71DC00CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E24990 Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 781a5d07869b565745af8a64051bd9c60af307b9ecba9dfe450bd30d4588ae48
                                  • Instruction ID: d2a0f905cb2f84284f4cd116ae896adba734bba11c7350edba67b8dce53cd4c6
                                  • Opcode Fuzzy Hash: 781a5d07869b565745af8a64051bd9c60af307b9ecba9dfe450bd30d4588ae48
                                  • Instruction Fuzzy Hash: 3631E8B5704029CBE704AB65EC157BBB6A6E7C9311F114036E50BEBBC0DB399E418B93
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2498F Relevance: .1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 67e25712fa4839c061f2997027204bbd7b71ee72a2545b53c862742aa24aeed2
                                  • Instruction ID: 9b70b9ab962d572c0963ce67c5741f7dc8a978ec2e7f239c091caf2013614d86
                                  • Opcode Fuzzy Hash: 67e25712fa4839c061f2997027204bbd7b71ee72a2545b53c862742aa24aeed2
                                  • Instruction Fuzzy Hash: E231D8B5704029CBE704AB55EC157BBB6A6E7C9311F114035E50AEB7C0DB398E424B92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07291174 Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e17ca584744fbc6c398923f28af0494ebc24be56b93f4b2078a03780a5947eb
                                  • Instruction ID: 1f32fb59ae83dab53419a1c18bc10b3c58880f373f72fc65579c2249a7fadd53
                                  • Opcode Fuzzy Hash: 2e17ca584744fbc6c398923f28af0494ebc24be56b93f4b2078a03780a5947eb
                                  • Instruction Fuzzy Hash: B44102B1D10258DFCF10DF99C984BDDBBF5AF48314F14806AE414AB290DB75A94ACF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E271B0 Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25a35ac0a1cd63e89d7e7028cdeb6a0cee14b64f697ada1058c44a62c604bf83
                                  • Instruction ID: 4a6a2ed988e6d40efbe04ade3e0bcecff48097c5328a72d3359bb5ac30a05394
                                  • Opcode Fuzzy Hash: 25a35ac0a1cd63e89d7e7028cdeb6a0cee14b64f697ada1058c44a62c604bf83
                                  • Instruction Fuzzy Hash: 31310175A08260CFD701AF6AF8907ABBBE5FB8A348F009065F445A7391DB34C891C7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2C7AC Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8854f6bb3739edea46ca5e645d0f4fd67a6b3ae8fe8fa4b1f05c54ee168c48c9
                                  • Instruction ID: a63173c3f0ee0ac980b09f54a7017963fd3aa1754e94b4c16a30e8817573d35a
                                  • Opcode Fuzzy Hash: 8854f6bb3739edea46ca5e645d0f4fd67a6b3ae8fe8fa4b1f05c54ee168c48c9
                                  • Instruction Fuzzy Hash: 0741E2B1D04219DBDB10CFA9C984ACDFBB5EF58308F25811AD509BB240D7746A4ACF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2CFD0 Relevance: .1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2cb0e7bbb33bfeb963f8ef2e3cedebcb831335ea85f16c510673aa213a103ad7
                                  • Instruction ID: f1babe10241755ab7b8de2386411dd709eac4cc1b806a15091156b7872cb85bd
                                  • Opcode Fuzzy Hash: 2cb0e7bbb33bfeb963f8ef2e3cedebcb831335ea85f16c510673aa213a103ad7
                                  • Instruction Fuzzy Hash: 8841CEB0D14268DBDB14CF9AD984ACEFBB5BF88714F24811AE418BB250DB74A845CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07291DD0 Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1e2a0b3316c628f2db8080c94a37add46ed867447d3b4bf481465a5db654989c
                                  • Instruction ID: 2bce2accffba6e434f6669997d3e85d332a9a1382642180fb5e784348a822c53
                                  • Opcode Fuzzy Hash: 1e2a0b3316c628f2db8080c94a37add46ed867447d3b4bf481465a5db654989c
                                  • Instruction Fuzzy Hash: 89210BB2E1054F9F8F16DAAAD8405FFB3F6EFC4150B184177D154E7244EB349A1187A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E295A0 Relevance: .1, Instructions: 90COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7482df68e38fdd1b97eede0d49cc1d24fb434a39ef1f6fc5d7798b9c4b0dc3a
                                  • Instruction ID: b45982492792a80ee25cf8283563b070d4b06f1e2136f33e9ee288d77db101e3
                                  • Opcode Fuzzy Hash: b7482df68e38fdd1b97eede0d49cc1d24fb434a39ef1f6fc5d7798b9c4b0dc3a
                                  • Instruction Fuzzy Hash: 1A31E431E042248FDB19AFB4D1503AD7AF1EF89318F10B839D401B6386CB388985CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07291DE0 Relevance: .1, Instructions: 90COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14b2ca65f33d9ed1483a080580f9bfb8127baa287e96004b4eec371afd56db68
                                  • Instruction ID: 0d89eaa164e6b0264b29b6826e362591245f26d56627aa6ed7320c2305178bb0
                                  • Opcode Fuzzy Hash: 14b2ca65f33d9ed1483a080580f9bfb8127baa287e96004b4eec371afd56db68
                                  • Instruction Fuzzy Hash: 243152B5E2054F9FCF15DA9AC9409BFB3F6AF84210B18853AD455E7244EB30DE118B62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2A300 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c0c4f1b05e4ce6a3bd2ba036ad073576dbf5d2b0f7b6dcc1a8c1702b0c655aa
                                  • Instruction ID: 64f95a4f6d303f58aa7a947720e3ce8468b716cbaefa41b32895025020da4247
                                  • Opcode Fuzzy Hash: 8c0c4f1b05e4ce6a3bd2ba036ad073576dbf5d2b0f7b6dcc1a8c1702b0c655aa
                                  • Instruction Fuzzy Hash: 87312835A00219EFDB05AFA0D9649DEBFB2EF99304F048165F1017B750DF35A946CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0729092F Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8e455b3c4d15d5aaa0f09470328e55979718383b31813fbc6fcbdcc48573b39
                                  • Instruction ID: 89031fcbe6c0159434751a00f8aeb7993f0f4ac5e5a1c6b6a6873c486bc48dde
                                  • Opcode Fuzzy Hash: b8e455b3c4d15d5aaa0f09470328e55979718383b31813fbc6fcbdcc48573b39
                                  • Instruction Fuzzy Hash: DC213BB62193879FEF25CF21D9909A57BB1AF8272470CC0ABD4498F263C7319E42CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2A310 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f3ebe28937a0d6fc8a0a066110f4ce2e614b4a15c0feb6e2c360a6484f5f4f8e
                                  • Instruction ID: 6cd84555a07575f105260af4163f3b8199d0ce9e8e0cfac7fc9beca6a34ef428
                                  • Opcode Fuzzy Hash: f3ebe28937a0d6fc8a0a066110f4ce2e614b4a15c0feb6e2c360a6484f5f4f8e
                                  • Instruction Fuzzy Hash: 87210231A00219EFCB05AFA0D9289DEBBB6EF89304F048169F1027B750DF75A944CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07290859 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 80204de63f7fe562b9e81d996538ee2dc82f5f65db19540356ab06383ba30d0c
                                  • Instruction ID: 2f3436b8bc17659a5bbe370ca7d0a1b02747c628271dbabbeadfdd5a420b3b9a
                                  • Opcode Fuzzy Hash: 80204de63f7fe562b9e81d996538ee2dc82f5f65db19540356ab06383ba30d0c
                                  • Instruction Fuzzy Hash: 20217C75A0030ADFCF25DFA8C8809AABBB2FF49310F04847DE11997661C736D981CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BAD3B4 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695235212.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bad000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5a53d74f6f8bf5f415f7d36f2956659c1737e9671c92222fcaf762f34cf99143
                                  • Instruction ID: 550109c13b066db944e253a6387b0ba1db27bcb554d60b89b70a9aea85c8b631
                                  • Opcode Fuzzy Hash: 5a53d74f6f8bf5f415f7d36f2956659c1737e9671c92222fcaf762f34cf99143
                                  • Instruction Fuzzy Hash: 552148B1508240DFDF00CF10C8C0B26BBE1FB88324F24C5A9E8064B746C736E846CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BAD4A0 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695235212.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bad000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f8d6bf12b61ac0506de2d957d4cf7d5b01c211e2be4f6f99960c60f448efd9f
                                  • Instruction ID: ccfcf746bbca439e5659e5759214b968fa685b58b05e839e3f07027bc1c5a56e
                                  • Opcode Fuzzy Hash: 0f8d6bf12b61ac0506de2d957d4cf7d5b01c211e2be4f6f99960c60f448efd9f
                                  • Instruction Fuzzy Hash: 192148B1908240DFDB05CF04D9C0B26BFA1FB99328F2485A9D9060B646C336D805CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00DCD01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695361975.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dcd000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 036de0e4e8b6313653beab90a5eab18294a94efccc3a6d3a43c1f0992434073f
                                  • Instruction ID: 9c57e2b5badc1dbc889f3e42eedfa83b97213be78f4c702948a62d2454b7eefa
                                  • Opcode Fuzzy Hash: 036de0e4e8b6313653beab90a5eab18294a94efccc3a6d3a43c1f0992434073f
                                  • Instruction Fuzzy Hash: BA21C1B16042449FDB14DF18D9C4F26BBA6EB84324F24C97DE9494B246C33AD846DA71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2FEC0 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f1a8a22a2885323b12053cb6d52b824ce63a96b6d31bfae9830489654ec65de4
                                  • Instruction ID: 904b17a818bbd1e22f8b87389ca77d7c587c194d36bf62f003c3a419bf29bfb7
                                  • Opcode Fuzzy Hash: f1a8a22a2885323b12053cb6d52b824ce63a96b6d31bfae9830489654ec65de4
                                  • Instruction Fuzzy Hash: A5313731D1071ADBCB00EFA5D8509DAB7B1FF9A324F219B15E62477290EB30B595CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07290C30 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e7f55670dd9480633db639a55610fe51c9499b58b3933a17a7898479f4fe04ee
                                  • Instruction ID: dc883911d7a4d48b2e054b1e07d5432f04fd05166c5d06868e43507e9a60aaa3
                                  • Opcode Fuzzy Hash: e7f55670dd9480633db639a55610fe51c9499b58b3933a17a7898479f4fe04ee
                                  • Instruction Fuzzy Hash: 45213C70A1131ACFCB25EFA9C4809AABBB1FF49314F14447DD0599B761D736E881CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07290868 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4be6b61a1798a7a99001fbcff21ff900c6cced1bb87e237f6f49cfa55a1a093c
                                  • Instruction ID: e2b85acbec1401f1e75542f64b8c185408ba06a5da0b6ee3af504aceb6b40ae5
                                  • Opcode Fuzzy Hash: 4be6b61a1798a7a99001fbcff21ff900c6cced1bb87e237f6f49cfa55a1a093c
                                  • Instruction Fuzzy Hash: E3210A71A1020ADFCF25DFA9C88099ABBB2FF48310F14847DE51997761C736E891CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07290C40 Relevance: .1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4b512ad9c05cd0cd99a95d494ba74a23048d98ac2395aa69841728f67fe4eb92
                                  • Instruction ID: cde17ed00795f54d29fcb24f995d901f817b5b6b63d2933edd9ac81e57720a15
                                  • Opcode Fuzzy Hash: 4b512ad9c05cd0cd99a95d494ba74a23048d98ac2395aa69841728f67fe4eb92
                                  • Instruction Fuzzy Hash: 7E210970A1031ACFCB24EFA9C4809AAB7B2FF49314F14847DD11997761D736E881CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E24138 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f7802996b51abc94758972fbea7ba2195387617627684bcb175143f0bdb5228
                                  • Instruction ID: f854ab172cbabb24bc0c4f0d86122b4e096975c28c35c52ba3ac55d15aaff8ca
                                  • Opcode Fuzzy Hash: 7f7802996b51abc94758972fbea7ba2195387617627684bcb175143f0bdb5228
                                  • Instruction Fuzzy Hash: 5C11E370B142208BE310EA68E44275BB3DAFBC8705F106C2DE286D77C1CF70E8818B80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07291787 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 954b50112f00e761e8a600c8d0d8fbb8fc442bce3acd6b31fb86ac5c52d3b36a
                                  • Instruction ID: 600406bf74101b26265be03b74b9855b02934da145ccca0d434b8b5d488309fc
                                  • Opcode Fuzzy Hash: 954b50112f00e761e8a600c8d0d8fbb8fc442bce3acd6b31fb86ac5c52d3b36a
                                  • Instruction Fuzzy Hash: FA11CEB6E1421A9F9B05DFA9C8444DEBFF6FF84251B08C2B6D044DB614EB34CA81CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00DCD005 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695361975.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_dcd000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7428bda1f4fb11cbb17a5c9c2cbd0f0839c072c7d6ed4f826d5f3420ce70404d
                                  • Instruction ID: 903b97a04470c581149a9433df4ba00759ac574989a50afa59b7be5e6009eeb5
                                  • Opcode Fuzzy Hash: 7428bda1f4fb11cbb17a5c9c2cbd0f0839c072c7d6ed4f826d5f3420ce70404d
                                  • Instruction Fuzzy Hash: 9F2192755093C08FDB02CF24D994B15BF71EB46314F28C5EED8498B697C33A984ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07291798 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4be6dc0d994773d52ca1e54456af27169c01d163b4e462100ed0a093c24dbf7
                                  • Instruction ID: 3423f205343088715db6dd95cb61a193ed9f939befbdf97d083a0c92fe9ea3fb
                                  • Opcode Fuzzy Hash: e4be6dc0d994773d52ca1e54456af27169c01d163b4e462100ed0a093c24dbf7
                                  • Instruction Fuzzy Hash: AD1190B6E1061A9FDB04DBA9C8444EEBBF6BF84240B18C17AD405DB704EB30DA41CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E24B8F Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 89c9937c5c92c7617ce42be703208094aa48760409d0c6dcf9365d1fb707375f
                                  • Instruction ID: c37d1f20c93baaa7bc68c23cf8176e6a199d2a4e839842178e02a1fdd455da30
                                  • Opcode Fuzzy Hash: 89c9937c5c92c7617ce42be703208094aa48760409d0c6dcf9365d1fb707375f
                                  • Instruction Fuzzy Hash: A711E570B046208BE314DA68E44275BB3D6FBCC705F106C2DE186D77C5CF70A8818780
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BAD49B Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695235212.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bad000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
                                  • Instruction ID: 5b83f4bce0aa3ea28d151d9646671627f6752356005fa52bfa695f76a9fce7be
                                  • Opcode Fuzzy Hash: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
                                  • Instruction Fuzzy Hash: 6211D376808280CFDF12CF14D9C4B16BFB1FB95324F24C6A9D8050B616C336D85ACBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00BAD3AF Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695235212.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_bad000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
                                  • Instruction ID: b440f5896f04e24b84ffd5e255a293234f2f79adf0bdebf313fd9ce9605442f8
                                  • Opcode Fuzzy Hash: 75ad921a90c5a80d0e06afb818f831ed5976852882da7f26f8f1702c903aed74
                                  • Instruction Fuzzy Hash: 4311B176504280CFDB12CF10D9C4B16BFB1FB99324F24C6A9D8450BB16C336E85ACBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07290978 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8d76533082be1dea0566938e5e60abd97ca84a83b89adb2b55fc3b6d99831ae0
                                  • Instruction ID: 069b72bc53de968269adc68dc5fac4294b70be0f324a3dd958536a86bc7dfa77
                                  • Opcode Fuzzy Hash: 8d76533082be1dea0566938e5e60abd97ca84a83b89adb2b55fc3b6d99831ae0
                                  • Instruction Fuzzy Hash: 8901F97131420A8BEB64EF26DA8492B73E6AFC152030D8D399546CB261DF70ED41C752
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07291848 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff3867cc6a3d8845af7704b0af66461deb53882f7361cff7ee5292691a806cda
                                  • Instruction ID: 34f7f96e5e41c3f3bc70df2e7525298e84de68f3a8c1a76bd2ff7b630c6701b7
                                  • Opcode Fuzzy Hash: ff3867cc6a3d8845af7704b0af66461deb53882f7361cff7ee5292691a806cda
                                  • Instruction Fuzzy Hash: 8C1104B53043465FDB05CE16EC80A9ABBA6FF85250F098436E9089B390C735CC229B65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2E500 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 73ce2f92eb59f5bae3cc3dd08b967d5819409259a3903578db83e2b2d636d7cd
                                  • Instruction ID: 31127f11096aa7907f3200e9c9535e8131f0252129b9d769895462b37eb2c2e2
                                  • Opcode Fuzzy Hash: 73ce2f92eb59f5bae3cc3dd08b967d5819409259a3903578db83e2b2d636d7cd
                                  • Instruction Fuzzy Hash: 1201F7317083645FDB05A778A4144BE7FEA9F86224B0A48EEE448D7382ED205C018396
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2C7E8 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3232b2ed67f5403411ffcbea89d0f27d9d76d7f0474f7dc16fb0061a120c231d
                                  • Instruction ID: 7cd7e7c016619a1b751d46fb16b1a76becd87ac091e5b9fbbdcb185bae845bfd
                                  • Opcode Fuzzy Hash: 3232b2ed67f5403411ffcbea89d0f27d9d76d7f0474f7dc16fb0061a120c231d
                                  • Instruction Fuzzy Hash: 531100B5D042588FCB10CF9AD848B9EFBF4EB88324F14801AE458B3200D3B8A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07292F81 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf3beda5f44952d3ca75fab95ad8069a051ed23cd416e96661c3f6a6bf86cc1f
                                  • Instruction ID: c0f6f81e77e92133ebb81f25d5ee15a317e2b6b601543064d36a2674d9f1a581
                                  • Opcode Fuzzy Hash: cf3beda5f44952d3ca75fab95ad8069a051ed23cd416e96661c3f6a6bf86cc1f
                                  • Instruction Fuzzy Hash: 0A01F9B7E20215EAFF00E5A9EC045FDB7E6EBC4220F444173D918A3284FA365C1546E2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07292F90 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3940cd917dcbc7592cdf8163b520580de9f0eda220ad4edc45321603b2d559c6
                                  • Instruction ID: f1692c4d46c43d627ab8f6a4afa770642979c09410875bed858517318d0e8d6d
                                  • Opcode Fuzzy Hash: 3940cd917dcbc7592cdf8163b520580de9f0eda220ad4edc45321603b2d559c6
                                  • Instruction Fuzzy Hash: 5101D0B2E20119E6DF10E5A9DC055EDB7E5EBC4314F450172DA09E3284F7755D1446D3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07293240 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6a1799c81c88e2adf75f86bcdc6a253242e8bb97636dcc151a37975ebfa1fbf3
                                  • Instruction ID: e71f109477bed0ee5d36b23e9883a7eb8dc8724f8f981329f6bc8ee5184b281e
                                  • Opcode Fuzzy Hash: 6a1799c81c88e2adf75f86bcdc6a253242e8bb97636dcc151a37975ebfa1fbf3
                                  • Instruction Fuzzy Hash: DA019E71E20129ABCF04EBB8C8148DE77A1EF89354B094464E905AB342DB24AC008BE2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2963A Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0fea4cc7722106de5e33af12c861559d29b5a186adeea5284df024a5cf3717b7
                                  • Instruction ID: dafbfa4e431a8b5871af86c1dbcf7669e892fc91b23dcc0d37852398abc4d591
                                  • Opcode Fuzzy Hash: 0fea4cc7722106de5e33af12c861559d29b5a186adeea5284df024a5cf3717b7
                                  • Instruction Fuzzy Hash: 4D11AD71A04229CFDF25EFB4E1653AD7AF1EF88318F107429D101B6286DF394984CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2EA98 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 373bf395a28616e25b29ba7197a792c0ecfd8ef157306f521e4fa6373c554649
                                  • Instruction ID: ab23bbf56aae4a075a9b604db96368c97ba57eeb4d1a82276c683866d4503202
                                  • Opcode Fuzzy Hash: 373bf395a28616e25b29ba7197a792c0ecfd8ef157306f521e4fa6373c554649
                                  • Instruction Fuzzy Hash: 18F0FC617146645FEB19DB795C158AE7FFADFC2214B4984F9D504D7351FD305C024390
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2E2E0 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed5d866308c4e73b1e0ac8d1d39e8a6727282fd6e028c6c7e3c14a888094b4e4
                                  • Instruction ID: 36dd3ae9917e71369093bb1e64dba5d8c4e54cabe84be935bb913332c9667c87
                                  • Opcode Fuzzy Hash: ed5d866308c4e73b1e0ac8d1d39e8a6727282fd6e028c6c7e3c14a888094b4e4
                                  • Instruction Fuzzy Hash: E7F090B1B081285B8F15B7A8AC529BEBAFAEBC8714B000029F705B7381CA714A01C7E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E26DBC Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7217cfd67c9e93e8a509e5d3a05efca1c4a766fb35ecd5fd4fd8e26d69e64a3a
                                  • Instruction ID: 0763290920bafbb788f4e2a6e1d7f74268d1bdf957dca64e255ecd943287df62
                                  • Opcode Fuzzy Hash: 7217cfd67c9e93e8a509e5d3a05efca1c4a766fb35ecd5fd4fd8e26d69e64a3a
                                  • Instruction Fuzzy Hash: DE01D172A041998FCF05CFBCD8805EDBFB2EE892147088296D845EB21AE635E545CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E28431 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3108d13e4017a4d0600a2413136a527352ae08c3519c644b36976f309fe86263
                                  • Instruction ID: a3216fb376679a4c8e7997e110a08f3acd18fd6442d6fe842286baa140881a67
                                  • Opcode Fuzzy Hash: 3108d13e4017a4d0600a2413136a527352ae08c3519c644b36976f309fe86263
                                  • Instruction Fuzzy Hash: 07F0E035A052945FCB329B7D9804AD97FF49F4A210F0943FAD4B8D76E2D534C905C751
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E27C5B Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5622e28f13bf19b4435caa20052cc805db90c696b2b782b737333bdc55b6129f
                                  • Instruction ID: 1dcc3f44dd13091d8db9026bf9817989e8ac709bb700454230bbbf803c8fa814
                                  • Opcode Fuzzy Hash: 5622e28f13bf19b4435caa20052cc805db90c696b2b782b737333bdc55b6129f
                                  • Instruction Fuzzy Hash: 85F05971A011159FCB64DA7DA80869EBBF8EB49324B04567FD469D32C0DB30A500CB42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07291F41 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b3d93a9ca2d20217926ee0f58f1ab25e88e7fbbfaa687cf410d70e8d24c1cf75
                                  • Instruction ID: 4a6f672b78717ef1cdaa9aeaa4fab24080b8be1e30afe57ea8ce147dedcbe660
                                  • Opcode Fuzzy Hash: b3d93a9ca2d20217926ee0f58f1ab25e88e7fbbfaa687cf410d70e8d24c1cf75
                                  • Instruction Fuzzy Hash: 41F027302182044FD310AB14E4406C277F5DF42714F0445EEE14ACF292CBA6AD4987E2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E27E7F Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f9ef46235fe1b3a7e3a9c936d55881c7da59b642a5a9e637a3731cd09896a88
                                  • Instruction ID: 92bf5f0a286947e46671fc0ac6285a56905c8540e1961d4dcb3dff95f93130fd
                                  • Opcode Fuzzy Hash: 6f9ef46235fe1b3a7e3a9c936d55881c7da59b642a5a9e637a3731cd09896a88
                                  • Instruction Fuzzy Hash: 00F0E9305093804FD709EB31B5543643FA59749368F496CDDD486A7193D77A8CDAC361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07290A11 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 27cca9860fc493eb3dbcbad08693eab80e642cf91397fcabf6e67bee8da33473
                                  • Instruction ID: 45158094994eca5df1889093c12914a8a0055a9be675f4a9bc3752e6cbcd7843
                                  • Opcode Fuzzy Hash: 27cca9860fc493eb3dbcbad08693eab80e642cf91397fcabf6e67bee8da33473
                                  • Instruction Fuzzy Hash: FEE0927530E2A20FDB6206246C5C7BE7F59EBC2215B2C12BBE949C5261C668890687E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E29695 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 975546f751e022f8f751f58a660e4e1009be6f1b1ede0dace0260d5f5712fb61
                                  • Instruction ID: 3ff16ff852c674cdd9134c34e100f3930d054d5372061c15dfb9eed95b3770e6
                                  • Opcode Fuzzy Hash: 975546f751e022f8f751f58a660e4e1009be6f1b1ede0dace0260d5f5712fb61
                                  • Instruction Fuzzy Hash: 36F0B430A042158BDB14EFB5E02579D76F2AF44318F10B429D101A6386DF784844CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2695C Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e31bb76a1fc2834f581392ae992be19dddd34b3d944ccf027aeddfc16090908
                                  • Instruction ID: 4d172121a2b5458cf706ade63ee608584b6c80c552579bb523ad1808d9fc52be
                                  • Opcode Fuzzy Hash: 0e31bb76a1fc2834f581392ae992be19dddd34b3d944ccf027aeddfc16090908
                                  • Instruction Fuzzy Hash: F5F082315493504FD709EA25B5543253BD56748364F497C98E446B3183CB7A9CD5C361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E26F38 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e9b7aee5838f0528b0635176c23fa4e771428ba68f79abbd5af04abce37e1bdd
                                  • Instruction ID: 2af63bf6f503ff733f986021a3f7302dcab8ace5ddb412bd3d696d9a6f17f60a
                                  • Opcode Fuzzy Hash: e9b7aee5838f0528b0635176c23fa4e771428ba68f79abbd5af04abce37e1bdd
                                  • Instruction Fuzzy Hash: D4E0203970025813DB547950F4C51EBBF76C78B625F000450E64497342DB29499F8B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07293230 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1000d6b5635196cb7e2014f95da885c9bc3df5642d8209c760d7849de18b034b
                                  • Instruction ID: 66f046d5cfcf394276f1d77a88431147d5a39371afca97022f101efa509996ff
                                  • Opcode Fuzzy Hash: 1000d6b5635196cb7e2014f95da885c9bc3df5642d8209c760d7849de18b034b
                                  • Instruction Fuzzy Hash: 3FE02633E04626D78E2475ACBC004DAA320DB84331F040572EA04B7241C7211D2089D1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 072916B0 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e05a51235b4e67d556ba2b62c61b6884313c51ed254eec7016dde7f04e57b3c
                                  • Instruction ID: 899a73deb663fe2090878a3d3f784d6fab2164cbf676bcf3c26b64c1fc5ec727
                                  • Opcode Fuzzy Hash: 0e05a51235b4e67d556ba2b62c61b6884313c51ed254eec7016dde7f04e57b3c
                                  • Instruction Fuzzy Hash: D3F0E574A1938A4FD709DF20E4549A0FF32AB41310B0A82DEC8494F353CB20DCA5C7D1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E283EF Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 93813199d7ba1b9f21e09f9306a19e76fd925b8a98e2aac5c21e6996835db782
                                  • Instruction ID: 9e97ae2af8ff467a73afdc1f24cd65482c3f8e076face6e0dad365e31d040c5f
                                  • Opcode Fuzzy Hash: 93813199d7ba1b9f21e09f9306a19e76fd925b8a98e2aac5c21e6996835db782
                                  • Instruction Fuzzy Hash: 95E09231A002299FCB60EF6CE8485DEB7F4EF88315F008569D959E3344D774AA1ACBC0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E283F0 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: db7cfd2b094a3feb34c7ace92c9e223ea5072e0f396b5462da56ace6f9984cf7
                                  • Instruction ID: ec20c0fc68650eae0fdb3b6e8b3c4ce76b4b5ba557d963ce52d11c5dfec040b2
                                  • Opcode Fuzzy Hash: db7cfd2b094a3feb34c7ace92c9e223ea5072e0f396b5462da56ace6f9984cf7
                                  • Instruction Fuzzy Hash: 80E09231A002299FCB60EB6DE8485DEB7F4EF88315F008569D959E3344D774AA19CBC0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 072926E9 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96d42323c53f12e017636e9b58e911b8d0372a3499bf2596bee53c6e5438f753
                                  • Instruction ID: 620c4e89271f8ba5d416110837b4f1791b6973e1379dbda7cae0e8934b0cd2f9
                                  • Opcode Fuzzy Hash: 96d42323c53f12e017636e9b58e911b8d0372a3499bf2596bee53c6e5438f753
                                  • Instruction Fuzzy Hash: 50E0263A7115209B83106A60B8045EE77EADBC8172300076AEC19C33C4DE2C8E0347E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07291F50 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5fae41d7263e580e4ec4d808ee1feab8112afefd531567ef4c84bd1394c3c40b
                                  • Instruction ID: 94fbee7c54ec0b41d5faaec5f15d49087d417cc5fdc0f5b83e0bda0c38dae2c2
                                  • Opcode Fuzzy Hash: 5fae41d7263e580e4ec4d808ee1feab8112afefd531567ef4c84bd1394c3c40b
                                  • Instruction Fuzzy Hash: 4EE0D8302146088FC320DB18E544B8673EADF41718F1455ADE14ACF691CBB2FC49C7E2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 072926F0 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8d9bd977b61c158331d6ac9970fe0c24ad4181079cbd4b0bfde4eb658b52ad6
                                  • Instruction ID: 1266f08e953aaad095dc909e15e88e9748cb3cce5a82235017b1fb92e0f0c259
                                  • Opcode Fuzzy Hash: d8d9bd977b61c158331d6ac9970fe0c24ad4181079cbd4b0bfde4eb658b52ad6
                                  • Instruction Fuzzy Hash: 50E0C2367106209B86145A65A4045AE73EADBC8132704476AEC0AC37C4DE2C9D0187E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2FE40 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d0c4e80665aa162b520be8a1ae7060f5f238f0a3c21af0832b168989484e5295
                                  • Instruction ID: f92a395f37ed4fa9774c5d131c62009a6420644b1e9e682f9a605ea49283e775
                                  • Opcode Fuzzy Hash: d0c4e80665aa162b520be8a1ae7060f5f238f0a3c21af0832b168989484e5295
                                  • Instruction Fuzzy Hash: B3E0C231A127148BD7113B78E40875A7BE5EB8A615F00427AE10697344EF38D8408BD1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2D390 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dca33b1922884403046169d646909da6b30ea4aa2181ac70760a8dc522c459b8
                                  • Instruction ID: b8c90ed1204d0a1049f755a270bdd77c2a61d2854502b0ed35c2cdb6b09f3e4b
                                  • Opcode Fuzzy Hash: dca33b1922884403046169d646909da6b30ea4aa2181ac70760a8dc522c459b8
                                  • Instruction Fuzzy Hash: EDE08670E00208EFCB40EFB5EA5285D77F6EB452187118598E808D3315EB395F009B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 072919F0 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1e132db194d292bfeb335adc0d044cdb9b6ef9011e9fa350b89233c3e53e3ef1
                                  • Instruction ID: 8ed797a711249cddebbfc2ecd41156ce95dfb95edbc510b2577c4ce47ee909cc
                                  • Opcode Fuzzy Hash: 1e132db194d292bfeb335adc0d044cdb9b6ef9011e9fa350b89233c3e53e3ef1
                                  • Instruction Fuzzy Hash: 6FD05EB4405B50AFEB0E9F258904472BFB4EDC128533485EFC444CE123D235C6438BE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E22A31 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 90320858244a4ed0fd64e42196cf018cd2d7a5fb4b0db58e342270575162cec1
                                  • Instruction ID: bcd6bbbfa02dd9b24e509c7ef4743d6148425c4b3ed2d7486a105be8b75fdec8
                                  • Opcode Fuzzy Hash: 90320858244a4ed0fd64e42196cf018cd2d7a5fb4b0db58e342270575162cec1
                                  • Instruction Fuzzy Hash: 0CC08CA2014A4C4FC30047A028036D03B29E897205780A0B1D40889C234520096B4220
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E283B9 Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc3dc4f3833d1210c122618f77a03b8f311fa8b9abf01d3ca5ba8dccbca53f4f
                                  • Instruction ID: 9d234775b82f3dea5027f928aa857fd889c045b4b104f115e0af314278d2edff
                                  • Opcode Fuzzy Hash: bc3dc4f3833d1210c122618f77a03b8f311fa8b9abf01d3ca5ba8dccbca53f4f
                                  • Instruction Fuzzy Hash: 27D012E684E7D08FF752AB7470420C0FFD1DFA2654B15889AC0D896567E03A4607C721
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E29708 Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 528db4530440f2fbc5530c396a5a4d6dd21350e6203c2879c2fcaddaf487afe0
                                  • Instruction ID: 839772f0b6d3f6d2434e6077c9f920b3f10e9b8c3f1dd8f5d4ed2d2cba4bdeab
                                  • Opcode Fuzzy Hash: 528db4530440f2fbc5530c396a5a4d6dd21350e6203c2879c2fcaddaf487afe0
                                  • Instruction Fuzzy Hash: 2BE0E278950109CFC700CFA4E699AADBBB0EB08300F20A05AE002B72A1CB755804CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0729107C Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.700760592.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7290000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ad44533c395c472858ac7331401781e84fbd9282e5222498ee29a0b156bb3917
                                  • Instruction ID: f245bd6e37e3025de3554130bd5ec06b77b961c82f45cb77940c0322b26b49e6
                                  • Opcode Fuzzy Hash: ad44533c395c472858ac7331401781e84fbd9282e5222498ee29a0b156bb3917
                                  • Instruction Fuzzy Hash: 00D0C9F4821605AB9B0CDF1B8644032B9E1FEC9248374D8AE900889222D776C9138A91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E2EF00 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7469d15974f354aadbad940d9f0ad0354c32c800bacaa40d2b3f812e28b571a
                                  • Instruction ID: 42a807074b1d3b853889b6126e00153f6959499cea5ef839e57944f42674d9e5
                                  • Opcode Fuzzy Hash: b7469d15974f354aadbad940d9f0ad0354c32c800bacaa40d2b3f812e28b571a
                                  • Instruction Fuzzy Hash: 01B09B2136413413C608319D74115DE76CD5B89668F400467B50D977415DC55C4103DD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E29571 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8192acfb4602dcc2c2165592884131355a8ce77b625570070ab9b30c444ffc1f
                                  • Instruction ID: bb6404f8a3c75c5a608950d60c0b4004454d5d0b1e2a138cfb69b92bea2a1f85
                                  • Opcode Fuzzy Hash: 8192acfb4602dcc2c2165592884131355a8ce77b625570070ab9b30c444ffc1f
                                  • Instruction Fuzzy Hash: 82D05EB85463458FFB12AB20E6741647B70BF8230CF059695D0408AA66C72C0446CF12
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E24128 Relevance: .0, Instructions: 7COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e87bd27cb515c0835ef37411695bef16b44ed68d7cc3d033c54d065dcb623b11
                                  • Instruction ID: c0a7ea1aa0284736fd546a9e60a26a17c006067bf3bbf673190d639614cc2ef8
                                  • Opcode Fuzzy Hash: e87bd27cb515c0835ef37411695bef16b44ed68d7cc3d033c54d065dcb623b11
                                  • Instruction Fuzzy Hash: 26B012E01261A085F1803760601D75535C1BB0031CFE17C56D1096C3D3CB2E84054F12
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00E22A40 Relevance: .0, Instructions: 5COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695630852.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e20000_22o5gJzlg6.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 41beba110d512f4eee6f145a9a1e185fc033e7b5549d9b2b27a5cd224d477223
                                  • Instruction ID: 3b59ce296b85db4799c9c7643de5db06569ce0fd6838a6b2f89c0ab3f213e4e8
                                  • Opcode Fuzzy Hash: 41beba110d512f4eee6f145a9a1e185fc033e7b5549d9b2b27a5cd224d477223
                                  • Instruction Fuzzy Hash: 4590027108474E8F454027D57819995B75C95455197804151A50D816165A75642045A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%