Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NfPIgjwteS.exe

Overview

General Information

Sample name:NfPIgjwteS.exe
renamed because original name is a hash value
Original sample name:8d800c3c7c7eb2c03f22b365f52fbff0.exe
Analysis ID:1527268
MD5:8d800c3c7c7eb2c03f22b365f52fbff0
SHA1:6e41a8832aac5fae24165ca5de98aaf14ed8aa97
SHA256:4bf737f017a40c23e888891a415711dfa6cae8302f46922e97da60f43a0ae40c
Tags:exeuser-abuse_ch
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)
Detected potential crypto function
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • NfPIgjwteS.exe (PID: 6408 cmdline: "C:\Users\user\Desktop\NfPIgjwteS.exe" MD5: 8D800C3C7C7EB2C03F22B365F52FBFF0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: NfPIgjwteS.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: G:\PROGRAMAS VISUAL STUDIO\pse-nuevo-vbs\pse-nuevo-vbs\obj\Debug\pse-nuevo-vbs.pdb4UNU @U_CorExeMainmscoree.dll source: NfPIgjwteS.exe
Source: Binary string: G:\PROGRAMAS VISUAL STUDIO\pse-nuevo-vbs\pse-nuevo-vbs\obj\Debug\pse-nuevo-vbs.pdb source: NfPIgjwteS.exe
Source: NfPIgjwteS.exe, 00000000.00000002.3023431823.0000000002571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmp, NfPIgjwteS.exe, 00000000.00000002.3024269367.00000000055E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: C:\Users\user\Desktop\NfPIgjwteS.exeCode function: 0_2_0077C1B80_2_0077C1B8
Source: C:\Users\user\Desktop\NfPIgjwteS.exeCode function: 0_2_0077DBD00_2_0077DBD0
Source: C:\Users\user\Desktop\NfPIgjwteS.exeCode function: 0_2_04948B980_2_04948B98
Source: C:\Users\user\Desktop\NfPIgjwteS.exeCode function: 0_2_04945F4C0_2_04945F4C
Source: C:\Users\user\Desktop\NfPIgjwteS.exeCode function: 0_2_06B91EC00_2_06B91EC0
Source: C:\Users\user\Desktop\NfPIgjwteS.exeCode function: 0_2_06B97F400_2_06B97F40
Source: C:\Users\user\Desktop\NfPIgjwteS.exeCode function: 0_2_06B92B500_2_06B92B50
Source: C:\Users\user\Desktop\NfPIgjwteS.exeCode function: 0_2_06B97F400_2_06B97F40
Source: C:\Users\user\Desktop\NfPIgjwteS.exeCode function: 0_2_06B92B400_2_06B92B40
Source: C:\Users\user\Desktop\NfPIgjwteS.exeCode function: 0_2_06B91EC00_2_06B91EC0
Source: NfPIgjwteS.exe, 00000000.00000000.1770681266.00000000000A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepse-nuevo-vbs.exe< vs NfPIgjwteS.exe
Source: NfPIgjwteS.exe, 00000000.00000002.3023152059.000000000081E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs NfPIgjwteS.exe
Source: NfPIgjwteS.exeBinary or memory string: OriginalFilenamepse-nuevo-vbs.exe< vs NfPIgjwteS.exe
Source: classification engineClassification label: clean3.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\NfPIgjwteS.exeMutant created: NULL
Source: NfPIgjwteS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NfPIgjwteS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\NfPIgjwteS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeSection loaded: textshaping.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\NfPIgjwteS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: NfPIgjwteS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: NfPIgjwteS.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: NfPIgjwteS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: G:\PROGRAMAS VISUAL STUDIO\pse-nuevo-vbs\pse-nuevo-vbs\obj\Debug\pse-nuevo-vbs.pdb4UNU @U_CorExeMainmscoree.dll source: NfPIgjwteS.exe
Source: Binary string: G:\PROGRAMAS VISUAL STUDIO\pse-nuevo-vbs\pse-nuevo-vbs\obj\Debug\pse-nuevo-vbs.pdb source: NfPIgjwteS.exe
Source: C:\Users\user\Desktop\NfPIgjwteS.exeCode function: 0_2_007708D8 push C0330066h; ret 0_2_007708E2
Source: C:\Users\user\Desktop\NfPIgjwteS.exeCode function: 0_2_04943D0B push dword ptr [ecx+ecx-75h]; iretd 0_2_04943D1B
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeMemory allocated: 700000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeMemory allocated: 2570000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeMemory allocated: 23C0000 memory reserve | memory write watchJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\NfPIgjwteS.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Users\user\Desktop\NfPIgjwteS.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\NfPIgjwteS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
Virtualization/Sandbox Evasion		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
NfPIgjwteS.exe11%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.fontbureau.com0%URL Reputationsafe
http://www.fontbureau.com/designersG0%URL Reputationsafe
http://www.fontbureau.com/designers/?0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.fontbureau.com/designers?0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.fontbureau.com/designers0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.fontbureau.com/designers80%URL Reputationsafe
http://www.fonts.com0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    		unknown
    http://www.fontbureau.comNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.fontbureau.com/designersGNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.fontbureau.com/designers/?NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.founder.com.cn/cn/bTheNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.fontbureau.com/designers?NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.tiro.comNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.fontbureau.com/designersNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.goodfont.co.krNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.carterandcone.comlNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.sajatypeworks.comNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.typography.netDNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.fontbureau.com/designers/cabarga.htmlNNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.founder.com.cn/cn/cTheNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.galapagosdesign.com/staff/dennis.htmNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.founder.com.cn/cnNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.fontbureau.com/designers/frere-user.htmlNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.jiyu-kobo.co.jp/NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.galapagosdesign.com/DPleaseNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.fontbureau.com/designers8NfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.fonts.comNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.sandoll.co.krNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.urwpp.deDPleaseNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.zhongyicts.com.cnNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNfPIgjwteS.exe, 00000000.00000002.3023431823.0000000002571000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.sakkal.comNfPIgjwteS.exe, 00000000.00000002.3024328990.00000000066B2000.00000004.00000800.00020000.00000000.sdmp, NfPIgjwteS.exe, 00000000.00000002.3024269367.00000000055E0000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1527268
    Start date and time:2024-10-06 22:11:40 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 18s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:NfPIgjwteS.exe
    renamed because original name is a hash value
    Original Sample Name:8d800c3c7c7eb2c03f22b365f52fbff0.exe
    Detection:CLEAN
    Classification:clean3.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 99%
    • Number of executed functions: 28
    • Number of non-executed functions: 4
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: NfPIgjwteS.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Entropy (8bit):5.337882193816427
    TrID:
    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
    • Win32 Executable (generic) a (10002005/4) 49.75%
    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
    • Windows Screen Saver (13104/52) 0.07%
    • Generic Win/DOS Executable (2004/3) 0.01%
    File name:NfPIgjwteS.exe
    File size:16'384 bytes
    MD5:8d800c3c7c7eb2c03f22b365f52fbff0
    SHA1:6e41a8832aac5fae24165ca5de98aaf14ed8aa97
    SHA256:4bf737f017a40c23e888891a415711dfa6cae8302f46922e97da60f43a0ae40c
    SHA512:f15cc14735c02896a5540e230712d89629b060286c3fec4b5f4e16c7fbe08caf844b12bd01467b7858f3060daf3814dacc8f3e5d20f2c879e7f8e2d34ba5289e
    SSDEEP:384:c5HdkVF+GJUBLgTN8PYnHGEMaGPlJkkUb7:c5Hdm+Ge1GhGla27kkO
    TLSH:F372294887E4C375C2BD6BB618636D0047F2EA65C523FF1E5DC8A89E1F236408792B72
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........."...P..6..........^U... ...`....@.. ....................................`................................

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x40555e
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Time Stamp:0x64831C8F [Fri Jun 9 12:35:27 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

    Entrypoint Preview

    Instruction
    jmp dword ptr [00402000h]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x550c0x4f.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x5cc.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x53d40x1c.text
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x20000x35640x3600b622e145fadd031e87aaf61407207502False0.474609375data5.606921445770961IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rsrc0x60000x5cc0x6004ab6a696514e85326f67043f2a9e1351False0.41796875data4.109810656149431IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x80000xc0x2005f30fe1e90b2f253432b992a220e4c8dFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x60900x33cdata0.4166666666666667
    RT_MANIFEST0x63dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

    Imports

    DLLImport
    mscoree.dll_CorExeMain

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:16:12:42
    Start date:06/10/2024
    Path:C:\Users\user\Desktop\NfPIgjwteS.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\NfPIgjwteS.exe"
    Imagebase:0xa0000
    File size:16'384 bytes
    MD5 hash:8D800C3C7C7EB2C03F22B365F52FBFF0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:9.1%
      Dynamic/Decrypted Code Coverage:100%
      Signature Coverage:2.7%
      Total number of Nodes:182
      Total number of Limit Nodes:22
      execution_graph 34801 6b91558 34803 6b9157a 34801->34803 34802 6b915ea 34803->34802 34808 6b91e38 34803->34808 34814 6b91ea0 34803->34814 34818 6b91dc8 34803->34818 34823 6b91dd8 34803->34823 34809 6b91e47 34808->34809 34810 6b91dd4 34808->34810 34809->34802 34811 6b91def 34810->34811 34813 6b91ea0 DrawTextExW 34810->34813 34811->34802 34812 6b91e1c 34812->34802 34813->34812 34828 6b91eb0 34814->34828 34833 6b91ec0 34814->34833 34815 6b91eac 34815->34802 34819 6b91deb 34818->34819 34820 6b91def 34819->34820 34822 6b91ea0 DrawTextExW 34819->34822 34820->34802 34821 6b91e1c 34821->34802 34822->34821 34824 6b91deb 34823->34824 34825 6b91def 34824->34825 34827 6b91ea0 DrawTextExW 34824->34827 34825->34802 34826 6b91e1c 34826->34802 34827->34826 34829 6b91ef6 34828->34829 34830 6b91f94 34829->34830 34838 6b94b70 34829->34838 34843 6b94b80 34829->34843 34830->34815 34834 6b91ef6 34833->34834 34835 6b91f94 34834->34835 34836 6b94b80 DrawTextExW 34834->34836 34837 6b94b70 DrawTextExW 34834->34837 34835->34815 34836->34835 34837->34835 34839 6b94ba4 34838->34839 34848 6b951f0 34839->34848 34858 6b951e0 34839->34858 34840 6b94c5a 34840->34830 34844 6b94ba4 34843->34844 34846 6b951f0 DrawTextExW 34844->34846 34847 6b951e0 DrawTextExW 34844->34847 34845 6b94c5a 34845->34830 34846->34845 34847->34845 34852 6b95202 34848->34852 34854 6b952e2 34848->34854 34849 6b951f0 DrawTextExW 34850 6b95357 34849->34850 34851 6b951f0 DrawTextExW 34850->34851 34853 6b9536a 34851->34853 34852->34849 34852->34854 34855 6b954c2 34853->34855 34868 6b95d21 34853->34868 34873 6b95d30 34853->34873 34854->34840 34855->34840 34862 6b95202 34858->34862 34864 6b952e2 34858->34864 34859 6b951f0 DrawTextExW 34860 6b95357 34859->34860 34861 6b951f0 DrawTextExW 34860->34861 34863 6b9536a 34861->34863 34862->34859 34862->34864 34865 6b954c2 34863->34865 34866 6b95d21 DrawTextExW 34863->34866 34867 6b95d30 DrawTextExW 34863->34867 34864->34840 34865->34840 34866->34865 34867->34865 34870 6b95d60 34868->34870 34869 6b95eb1 34869->34855 34870->34869 34878 6b95f18 34870->34878 34883 6b95f08 34870->34883 34875 6b95d60 34873->34875 34874 6b95eb1 34874->34855 34875->34874 34876 6b95f18 DrawTextExW 34875->34876 34877 6b95f08 DrawTextExW 34875->34877 34876->34874 34877->34874 34880 6b95f39 34878->34880 34879 6b95f4e 34879->34869 34880->34879 34888 6b9400c 34880->34888 34882 6b95faa 34884 6b95f39 34883->34884 34885 6b95f4e 34884->34885 34886 6b9400c DrawTextExW 34884->34886 34885->34869 34887 6b95faa 34886->34887 34889 6b94017 34888->34889 34890 6b96b69 34889->34890 34892 6b97668 34889->34892 34890->34882 34893 6b9766b DrawTextExW 34892->34893 34894 6b9764a 34892->34894 34896 6b97716 34893->34896 34894->34890 34896->34890 35015 6b9c308 DispatchMessageA 35016 6b9c374 35015->35016 34795 77fce8 34798 77f6ec 34795->34798 34799 77fd18 SetWindowLongW 34798->34799 34800 77fd00 34799->34800 34897 776d58 34898 776d68 34897->34898 34899 776d79 34898->34899 34902 776db7 34898->34902 34907 776e7f 34898->34907 34903 776df2 34902->34903 34904 776ee9 34903->34904 34912 777013 34903->34912 34916 777020 34903->34916 34904->34899 34908 776e84 34907->34908 34909 777013 5 API calls 34908->34909 34910 777020 5 API calls 34908->34910 34911 776ee9 34908->34911 34909->34911 34910->34911 34911->34899 34913 77702d 34912->34913 34914 777067 34913->34914 34920 776a90 34913->34920 34914->34904 34917 77702d 34916->34917 34918 777067 34917->34918 34919 776a90 5 API calls 34917->34919 34918->34904 34919->34918 34921 776a9b 34920->34921 34923 777d80 34921->34923 34924 777204 34921->34924 34923->34923 34925 77720f 34924->34925 34926 777dfe 34925->34926 34936 77b340 34925->34936 34942 77b330 34925->34942 34948 777234 34926->34948 34928 777e18 34953 777244 34928->34953 34930 777e1f 34957 77d108 34930->34957 34964 77d120 34930->34964 34931 777e29 34931->34923 34937 77b36e 34936->34937 34939 77b397 34937->34939 34972 77a0a4 GetFocus 34937->34972 34940 77b43a KiUserCallbackDispatcher 34939->34940 34941 77b566 34939->34941 34940->34941 34943 77b36e 34942->34943 34945 77b397 34943->34945 34973 77a0a4 GetFocus 34943->34973 34946 77b43a KiUserCallbackDispatcher 34945->34946 34947 77b566 34945->34947 34946->34947 34947->34947 34949 77723f 34948->34949 34952 77c891 34949->34952 34974 77c198 34949->34974 34951 77c88c 34951->34928 34952->34928 34954 77724f 34953->34954 34978 77c29c 34954->34978 34956 77cf4f 34956->34930 34958 77d120 34957->34958 34959 77d15d 34958->34959 34960 77d19e 34958->34960 34985 77d488 34958->34985 34959->34931 34988 77e797 34960->34988 34994 77e7a8 34960->34994 34966 77d151 34964->34966 34967 77d252 34964->34967 34965 77d15d 34965->34931 34966->34965 34968 77d19e 34966->34968 34969 77d488 GetModuleHandleW 34966->34969 34967->34931 34970 77e797 CreateWindowExW 34968->34970 34971 77e7a8 CreateWindowExW 34968->34971 34969->34968 34970->34967 34971->34967 34972->34939 34973->34945 34975 77c1a3 34974->34975 34976 777244 2 API calls 34975->34976 34977 77ca75 34975->34977 34976->34977 34977->34951 34979 77c2a7 34978->34979 34980 77d0c1 34979->34980 34981 77d022 34979->34981 34983 77d120 2 API calls 34979->34983 34984 77d108 2 API calls 34979->34984 34980->34956 34981->34980 34982 77c29c 2 API calls 34981->34982 34982->34981 34983->34981 34984->34981 34999 77d4c8 34985->34999 34986 77d492 34986->34960 34989 77e767 34988->34989 34990 77e7a2 34988->34990 34989->34959 34991 77e882 34990->34991 35004 77f650 34990->35004 35008 77f680 34990->35008 34996 77e7d3 34994->34996 34995 77e882 34995->34995 34996->34995 34997 77f650 CreateWindowExW 34996->34997 34998 77f680 CreateWindowExW 34996->34998 34997->34995 34998->34995 35000 77d4d8 34999->35000 35001 77d50c 35000->35001 35002 77d710 GetModuleHandleW 35000->35002 35001->34986 35003 77d73d 35002->35003 35003->34986 35005 77f680 35004->35005 35011 77c53c 35005->35011 35009 77c53c CreateWindowExW 35008->35009 35010 77f6b5 35009->35010 35010->34991 35012 77fad0 CreateWindowExW 35011->35012 35014 77fbf4 35012->35014 35017 777848 35018 7777d7 DuplicateHandle 35017->35018 35021 77784b 35017->35021 35020 77781e 35018->35020

      Executed Functions

      Function 06B92B50 Relevance: 1.9, Strings: 1, Instructions: 693COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 854 6b92b50-6b92c67 859 6b92c6d-6b92d39 854->859 860 6b92d3e-6b92d48 854->860 870 6b93077-6b93083 859->870 861 6b92d4e-6b92ee0 860->861 862 6b92ee5-6b9306b 860->862 861->870 862->870 873 6b930b8-6b930e1 870->873 874 6b93085-6b9308c 870->874 875 6b93154-6b9318a 873->875 878 6b9308e-6b93093 874->878 879 6b93095-6b9309c 874->879 888 6b93193-6b931a9 875->888 880 6b930b4-6b930b6 878->880 881 6b9309e-6b930a0 879->881 882 6b930a2-6b930b1 879->882 880->873 883 6b930e3-6b9314d 880->883 881->880 882->880 883->875 890 6b931ab 888->890 891 6b931b4-6b93247 888->891 890->891 892 6b931ad 890->892 901 6b93249 891->901 902 6b93252-6b932c6 891->902 892->891 901->902 903 6b9324b 901->903 911 6b932cc-6b93371 902->911 912 6b93381-6b933b7 902->912 903->902 911->912 915 6b93373-6b93380 911->915 918 6b933b9 912->918 919 6b933cb-6b933d8 912->919 915->912 918->919 920 6b933bb-6b933c9 918->920 922 6b933d9-6b933e3 919->922 920->922 924 6b93453-6b93463 922->924 925 6b933e5-6b933fd 922->925 928 6b93464-6b935c4 924->928 925->928 929 6b933ff-6b93406 925->929 952 6b935d2 928->952 953 6b935c6 928->953 930 6b93408-6b9340d 929->930 931 6b9340f-6b93416 929->931 933 6b9342e-6b93430 930->933 934 6b93418-6b9341a 931->934 935 6b9341c-6b9342b 931->935 933->928 936 6b93432-6b93451 933->936 934->933 935->933 936->928 954 6b935d3 952->954 953->952 954->954
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3024725743.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_6b90000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID: fff?
      • API String ID: 0-4136771917
      • Opcode ID: 2a23e0c1f9383fb67ca572a5ec505c1a7b6ccc5c1ccc045f91cd36d67ac3d16e
      • Instruction ID: 5abf3f5f64617386fe7680dda5058e3ca29aedb4cdfcbd5b1b95f6967070ebf0
      • Opcode Fuzzy Hash: 2a23e0c1f9383fb67ca572a5ec505c1a7b6ccc5c1ccc045f91cd36d67ac3d16e
      • Instruction Fuzzy Hash: 63623C3180061ADFCF11DF60C984AD9B7B2FF99304F1586D5E9086B225EB75AAD9CF80
      Function 06B92B40 Relevance: 1.7, Strings: 1, Instructions: 453COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 955 6b92b40-6b92c67 960 6b92c6d-6b92d39 955->960 961 6b92d3e-6b92d48 955->961 971 6b93077-6b93083 960->971 962 6b92d4e-6b92ee0 961->962 963 6b92ee5-6b9306b 961->963 962->971 963->971 974 6b930b8-6b930e1 971->974 975 6b93085-6b9308c 971->975 976 6b93154-6b9318a 974->976 979 6b9308e-6b93093 975->979 980 6b93095-6b9309c 975->980 989 6b93193-6b931a9 976->989 981 6b930b4-6b930b6 979->981 982 6b9309e-6b930a0 980->982 983 6b930a2-6b930b1 980->983 981->974 984 6b930e3-6b9314d 981->984 982->981 983->981 984->976 991 6b931ab 989->991 992 6b931b4-6b93247 989->992 991->992 993 6b931ad 991->993 1002 6b93249 992->1002 1003 6b93252-6b932c6 992->1003 993->992 1002->1003 1004 6b9324b 1002->1004 1012 6b932cc-6b93371 1003->1012 1013 6b93381-6b933b7 1003->1013 1004->1003 1012->1013 1016 6b93373-6b93380 1012->1016 1019 6b933b9 1013->1019 1020 6b933cb-6b933d8 1013->1020 1016->1013 1019->1020 1021 6b933bb-6b933c9 1019->1021 1023 6b933d9-6b933e3 1020->1023 1021->1023 1025 6b93453-6b93463 1023->1025 1026 6b933e5-6b933fd 1023->1026 1029 6b93464-6b935c4 1025->1029 1026->1029 1030 6b933ff-6b93406 1026->1030 1053 6b935d2 1029->1053 1054 6b935c6 1029->1054 1031 6b93408-6b9340d 1030->1031 1032 6b9340f-6b93416 1030->1032 1034 6b9342e-6b93430 1031->1034 1035 6b93418-6b9341a 1032->1035 1036 6b9341c-6b9342b 1032->1036 1034->1029 1037 6b93432-6b93451 1034->1037 1035->1034 1036->1034 1037->1029 1055 6b935d3 1053->1055 1054->1053 1055->1055
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3024725743.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_6b90000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID: fff?
      • API String ID: 0-4136771917
      • Opcode ID: 6e768dafec2ca83b8ec5e2db928b8bb90d9480d03dd0075bfd0590afa5e2164d
      • Instruction ID: ad6ef47a35d0954e8da0f9fdeb0550ac75369ced8fa949ee2a2d7bdec9960129
      • Opcode Fuzzy Hash: 6e768dafec2ca83b8ec5e2db928b8bb90d9480d03dd0075bfd0590afa5e2164d
      • Instruction Fuzzy Hash: 30125B7590061ADFCF11DF50C884AE9BBB2FF49304F0585E5D9086B266DB76AE89CF80
      Function 06B91EC0 Relevance: .6, Instructions: 635COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3024725743.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_6b90000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 944ab35568a6700bad8292826461e071ab8d2d9d6d056e2652cf4470d459909e
      • Instruction ID: 734f18717223fd28ce57120fe54222b290d548fd9f6d4d2c17cb084bcbfa9343
      • Opcode Fuzzy Hash: 944ab35568a6700bad8292826461e071ab8d2d9d6d056e2652cf4470d459909e
      • Instruction Fuzzy Hash: 65526935A1061ADFCF61DF64C854AE9B7B1FF49300F1481E9E509AB261EB35EA81CF50
      Function 06B97F40 Relevance: .5, Instructions: 514COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3024725743.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_6b90000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: af02dd0be42cc98293838c62d97084b374b9ee55055728922554c11718f2c46f
      • Instruction ID: 9fd266fee39e367112123c2e86c068fd46457278ff76af3e836bf03affd46cd5
      • Opcode Fuzzy Hash: af02dd0be42cc98293838c62d97084b374b9ee55055728922554c11718f2c46f
      • Instruction Fuzzy Hash: D7323671A0061ACFDF61DF64C944BD9B7B2FF8A300F1485E9E509AB221DB75AA84CF50
      Function 00777780 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 615 777780-77781c DuplicateHandle 616 777825-777842 615->616 617 77781e-777824 615->617 617->616
      APIs
      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0077780F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3022879101.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_770000_NfPIgjwteS.jbxd
      Similarity
      • API ID: DuplicateHandle
      • String ID: W
      • API String ID: 3793708945-655174618
      • Opcode ID: 7d7b08c9f0010dae9cca96cb8a43506b46074bae01ad939469f50857c63a6c2a
      • Instruction ID: 566496dbe38781acd5556061afe4e488f53c4420f7476c91227ae6fee9e71514
      • Opcode Fuzzy Hash: 7d7b08c9f0010dae9cca96cb8a43506b46074bae01ad939469f50857c63a6c2a
      • Instruction Fuzzy Hash: 5221F2B5D00249DFDB10CFAAD984ADEBBF4EF48320F24845AE958A7250D378A940CF61
      Function 0077D4C8 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1056 77d4c8-77d4e7 1058 77d513-77d517 1056->1058 1059 77d4e9-77d4f6 call 77c374 1056->1059 1060 77d52b-77d56c 1058->1060 1061 77d519-77d523 1058->1061 1064 77d50c 1059->1064 1065 77d4f8 1059->1065 1068 77d56e-77d576 1060->1068 1069 77d579-77d587 1060->1069 1061->1060 1064->1058 1112 77d4fe call 77d761 1065->1112 1113 77d4fe call 77d770 1065->1113 1068->1069 1071 77d5ab-77d5ad 1069->1071 1072 77d589-77d58e 1069->1072 1070 77d504-77d506 1070->1064 1075 77d648-77d708 1070->1075 1076 77d5b0-77d5b7 1071->1076 1073 77d590-77d597 call 77c380 1072->1073 1074 77d599 1072->1074 1078 77d59b-77d5a9 1073->1078 1074->1078 1107 77d710-77d73b GetModuleHandleW 1075->1107 1108 77d70a-77d70d 1075->1108 1079 77d5c4-77d5cb 1076->1079 1080 77d5b9-77d5c1 1076->1080 1078->1076 1082 77d5cd-77d5d5 1079->1082 1083 77d5d8-77d5e1 call 77c390 1079->1083 1080->1079 1082->1083 1088 77d5e3-77d5eb 1083->1088 1089 77d5ee-77d5f3 1083->1089 1088->1089 1091 77d5f5-77d5fc 1089->1091 1092 77d611-77d615 1089->1092 1091->1092 1093 77d5fe-77d60e call 77c148 call 77c3a0 1091->1093 1114 77d618 call 77da41 1092->1114 1115 77d618 call 77da50 1092->1115 1093->1092 1096 77d61b-77d61e 1098 77d641-77d647 1096->1098 1099 77d620-77d63e 1096->1099 1099->1098 1109 77d744-77d758 1107->1109 1110 77d73d-77d743 1107->1110 1108->1107 1110->1109 1112->1070 1113->1070 1114->1096 1115->1096
      Memory Dump Source
      • Source File: 00000000.00000002.3022879101.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_770000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fedefcd5a0cc7952de25159ed65b7bacb041b6813ad1d6fbf89ef5f5cb27a3de
      • Instruction ID: ede37368d99e507651672ff3a071bcada18b03e4930f435d0285a350b7ab022f
      • Opcode Fuzzy Hash: fedefcd5a0cc7952de25159ed65b7bacb041b6813ad1d6fbf89ef5f5cb27a3de
      • Instruction Fuzzy Hash: 3F8156B0A00B058FDB24DF29D44475ABBF2FF88344F00892DE48ADBA50D779E959CB91
      Function 0077C53C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1116 77c53c-77fb36 1118 77fb41-77fb48 1116->1118 1119 77fb38-77fb3e 1116->1119 1120 77fb53-77fbf2 CreateWindowExW 1118->1120 1121 77fb4a-77fb50 1118->1121 1119->1118 1123 77fbf4-77fbfa 1120->1123 1124 77fbfb-77fc33 1120->1124 1121->1120 1123->1124 1128 77fc35-77fc38 1124->1128 1129 77fc40 1124->1129 1128->1129
      APIs
      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0077FBE2
      Memory Dump Source
      • Source File: 00000000.00000002.3022879101.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_770000_NfPIgjwteS.jbxd
      Similarity
      • API ID: CreateWindow
      • String ID:
      • API String ID: 716092398-0
      • Opcode ID: eb121a418ae70937e2114de5f1b8ba685c315f2f6901505acdd4e21fd139f1d1
      • Instruction ID: 4f4f349b676592b84bc5078faee49d79f1ea7e4024f23ecb81229d057e869cd7
      • Opcode Fuzzy Hash: eb121a418ae70937e2114de5f1b8ba685c315f2f6901505acdd4e21fd139f1d1
      • Instruction Fuzzy Hash: BF51BCB1D003099FDF14CFAAC984ADEBBB5FF48350F24812AE819AB250D774A845CF90
      Function 00777848 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1130 777848-777849 1131 7777d7 1130->1131 1132 77784b-777976 1130->1132 1134 7777fd-77781c DuplicateHandle 1131->1134 1135 7777d9-7777fa 1131->1135 1136 777825-777842 1134->1136 1137 77781e-777824 1134->1137 1135->1134 1137->1136
      APIs
      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0077780F
      Memory Dump Source
      • Source File: 00000000.00000002.3022879101.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_770000_NfPIgjwteS.jbxd
      Similarity
      • API ID: DuplicateHandle
      • String ID:
      • API String ID: 3793708945-0
      • Opcode ID: 6d8fd349d89aa4b7c71ee77d0cebe21aad8d71e44e9ec1ba587781fcd142c9aa
      • Instruction ID: f32c6eb81dacb81389fd77f628aa79c0530a0e9ae4dfe83fd23877e8fb0b7d80
      • Opcode Fuzzy Hash: 6d8fd349d89aa4b7c71ee77d0cebe21aad8d71e44e9ec1ba587781fcd142c9aa
      • Instruction Fuzzy Hash: 1F415EB4A40344DFEB05EF64E948ABA7BB5FB48301F208429EA058B7A4C7785D16DF71
      Function 06B97668 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
      Download Yara Rule
      APIs
      • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06B97707
      Memory Dump Source
      • Source File: 00000000.00000002.3024725743.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_6b90000_NfPIgjwteS.jbxd
      Similarity
      • API ID: DrawText
      • String ID:
      • API String ID: 2175133113-0
      • Opcode ID: 583a2d154955e4d3d692999c50b88859204a4e58a3b385b99f9558cd957bbfdb
      • Instruction ID: 47ff00a4abb428c4adc8238418bea9818ffffac08cf165ba0de1e6eaefe95f13
      • Opcode Fuzzy Hash: 583a2d154955e4d3d692999c50b88859204a4e58a3b385b99f9558cd957bbfdb
      • Instruction Fuzzy Hash: B63104B5D102099FDF50CF99D880ADEFBF5FB48320F24846AE519A7210D774A541CFA0
      Function 06B97670 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
      Download Yara Rule
      APIs
      • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06B97707
      Memory Dump Source
      • Source File: 00000000.00000002.3024725743.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_6b90000_NfPIgjwteS.jbxd
      Similarity
      • API ID: DrawText
      • String ID:
      • API String ID: 2175133113-0
      • Opcode ID: 4f8cd45e2421f76c4f06191a8db77781c98540b78e96d5187d50468cdb5b3a95
      • Instruction ID: fb236362660851d55c3ef8be22c5e3188c9c87e2c1ef56a3454b880011ced932
      • Opcode Fuzzy Hash: 4f8cd45e2421f76c4f06191a8db77781c98540b78e96d5187d50468cdb5b3a95
      • Instruction Fuzzy Hash: 8721AEB5D112499FDB10CF9AD884ADEFBF5FB48320F24842AE919A7210D775A944CFA0
      Function 00777788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
      Download Yara Rule
      APIs
      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0077780F
      Memory Dump Source
      • Source File: 00000000.00000002.3022879101.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_770000_NfPIgjwteS.jbxd
      Similarity
      • API ID: DuplicateHandle
      • String ID:
      • API String ID: 3793708945-0
      • Opcode ID: 5b3c4e8f5d78edd60dc3c5d0ca1038e4174ebb90754062d4922a9f6c46406f3f
      • Instruction ID: 6df12b76d3371d7b037f9936de12f4d21bc9506904b58db2d113267db5eb136e
      • Opcode Fuzzy Hash: 5b3c4e8f5d78edd60dc3c5d0ca1038e4174ebb90754062d4922a9f6c46406f3f
      • Instruction Fuzzy Hash: FD21E6B5D00208DFDB10CF9AD984ADEBBF4FB48320F14841AE918A3350D378A940CF61
      Function 0077F730 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
      Download Yara Rule
      APIs
      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0077FD00,?,?,?,?), ref: 0077FD75
      Memory Dump Source
      • Source File: 00000000.00000002.3022879101.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_770000_NfPIgjwteS.jbxd
      Similarity
      • API ID: LongWindow
      • String ID:
      • API String ID: 1378638983-0
      • Opcode ID: b803fc491e2138d1495326175166c2f5fca183e04ed04b3c1418fb7d9b1ef297
      • Instruction ID: 335822ea7d05ed4bcc3f3a6c2b90196c8aba82a0ee5cc38df7c2c5d415e15b42
      • Opcode Fuzzy Hash: b803fc491e2138d1495326175166c2f5fca183e04ed04b3c1418fb7d9b1ef297
      • Instruction Fuzzy Hash: F42189B1900249CFCB20DF9AD985BDEBBF8EF48314F20842AD448A7341C374A944CFA5
      Function 0077F6EC Relevance: 1.5, APIs: 1, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0077FD00,?,?,?,?), ref: 0077FD75
      Memory Dump Source
      • Source File: 00000000.00000002.3022879101.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_770000_NfPIgjwteS.jbxd
      Similarity
      • API ID: LongWindow
      • String ID:
      • API String ID: 1378638983-0
      • Opcode ID: b31d599da4094037b855e325728ba0cfb698fbf64fdc878207703d8824677b7f
      • Instruction ID: 6457b723058213343298099f22815573df1258bf83ce363a0a56bc2f2e56df96
      • Opcode Fuzzy Hash: b31d599da4094037b855e325728ba0cfb698fbf64fdc878207703d8824677b7f
      • Instruction Fuzzy Hash: 701128B5900349CFDB20CF99D544BDEBBF8EB48320F20841AD558A7300C374A944CFA1
      Function 0077D6C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNELBASE(00000000), ref: 0077D72E
      Memory Dump Source
      • Source File: 00000000.00000002.3022879101.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_770000_NfPIgjwteS.jbxd
      Similarity
      • API ID: HandleModule
      • String ID:
      • API String ID: 4139908857-0
      • Opcode ID: 707a087cafa26187e3c586c8241121e233a8fc827a8ad066b7263d24b9e3134a
      • Instruction ID: d422d78fe0c510d4bab9aea41fd4f29d13e93fe3236a5a9748c47d888533a572
      • Opcode Fuzzy Hash: 707a087cafa26187e3c586c8241121e233a8fc827a8ad066b7263d24b9e3134a
      • Instruction Fuzzy Hash: F211DFB5D006498FCB24CF9AD444ADEFBF5AF88324F24842AD459A7610C3B9A945CFA1
      Function 06B9C308 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.3024725743.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_6b90000_NfPIgjwteS.jbxd
      Similarity
      • API ID: DispatchMessage
      • String ID:
      • API String ID: 2061451462-0
      • Opcode ID: e1978c20b15c9a16a5cec26d30852b2f11dd28d183885a32671615cbd63d51a8
      • Instruction ID: 42be85f886b34432da6a7687a6d4af1fda2034221ec60ea10db4a65ddf0187c1
      • Opcode Fuzzy Hash: e1978c20b15c9a16a5cec26d30852b2f11dd28d183885a32671615cbd63d51a8
      • Instruction Fuzzy Hash: 071100B5C04649CFCB20CFAAD944BCEFBF4EB49324F20846AD418A3250C378A544CFA5
      Function 06B9C301 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.3024725743.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_6b90000_NfPIgjwteS.jbxd
      Similarity
      • API ID: DispatchMessage
      • String ID:
      • API String ID: 2061451462-0
      • Opcode ID: fc96257229a3d4a34d5921c7aa75f0b9ea7900b2c815e0a1418b1cf78491e8f7
      • Instruction ID: c84446f18e23bc131b48a4aa566f2b6455031bea47c4083cc76c9d6a7c0ca30b
      • Opcode Fuzzy Hash: fc96257229a3d4a34d5921c7aa75f0b9ea7900b2c815e0a1418b1cf78491e8f7
      • Instruction Fuzzy Hash: EE1122B5D04649CFCB20CF9AD544BCEFBF5EB48314F24846AD418A3250C338A500CFA5
      Function 0065D3EC Relevance: .1, Instructions: 75COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3022419354.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_65d000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d755abc42f28b3a6c8145f1eef4f6ed8786c7cd0b254eb7c5df433787c3ec449
      • Instruction ID: 4b5a0566adce3de4bd799b6c6b186ff0d26ae9c802e60526e86b1da6e7faf07d
      • Opcode Fuzzy Hash: d755abc42f28b3a6c8145f1eef4f6ed8786c7cd0b254eb7c5df433787c3ec449
      • Instruction Fuzzy Hash: D82128B1504200EFDB25DF14D9C0B26BFA6FB94325F24C569ED090B396C336E85AD7A1
      Function 0065D4D8 Relevance: .1, Instructions: 75COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3022419354.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_65d000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e2ca73f077971c223b19bd97d672a5e54a211c7d266645b0e0462d3941552ec5
      • Instruction ID: 194c41fd7dbafea0feaa4e303ad346dc84feb766aba94d1292aae3a53ae44c4e
      • Opcode Fuzzy Hash: e2ca73f077971c223b19bd97d672a5e54a211c7d266645b0e0462d3941552ec5
      • Instruction Fuzzy Hash: FC2136B1504200DFCB25CF04C9C0B26BF66FB98319F208569ED090B396D336D84ACAA2
      Function 0066D1D4 Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3022485908.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_66d000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cb81811ad5260b3ef23b032afb0f219ae5dfc58707e49ada42c80ab91a241e33
      • Instruction ID: bc267334b74344bf659bf37507f32febb9ad1dd73cc0ac0899a19da4f9a108c9
      • Opcode Fuzzy Hash: cb81811ad5260b3ef23b032afb0f219ae5dfc58707e49ada42c80ab91a241e33
      • Instruction Fuzzy Hash: A92129B1A04240EFDB15DF14D5D0B26BB6AFB84314F24C56DEA094B355C336D946CB61
      Function 0066D2D4 Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3022485908.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_66d000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 78f27009493783b362c5afc167e3507ad538fc5793266ec7b79ad9cbff649682
      • Instruction ID: 6c3e8826aa6abd959811350ffb0930176be609eea2caf36bddaf94bb6a851407
      • Opcode Fuzzy Hash: 78f27009493783b362c5afc167e3507ad538fc5793266ec7b79ad9cbff649682
      • Instruction Fuzzy Hash: 6A2126B1A04240EFDB04DF14D5C0B2ABB66FBC4324F24C669D9095B346C33AD806DAA2
      Function 0066D01C Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3022485908.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_66d000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2c2845a5b4f611b2f14ba92405af2b2075a7e1c5af5ba05a840fb8327171c725
      • Instruction ID: 31b13277f5d6f7059df44e5fa887f5c753bca832b116524864fc95558cb5d7bb
      • Opcode Fuzzy Hash: 2c2845a5b4f611b2f14ba92405af2b2075a7e1c5af5ba05a840fb8327171c725
      • Instruction Fuzzy Hash: F321F2B5A04240DFCB14DF14D9C0B26BB66FB88314F24C96DE90A4B396C33BD847CAA1
      Function 0065D3E7 Relevance: .1, Instructions: 56COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3022419354.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_65d000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
      • Instruction ID: b3507d6eeb7b23785d3e5ab714929a6a1fd42f59440ba97dfcc512b5e8caf807
      • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
      • Instruction Fuzzy Hash: 7011DF72404240CFCB12CF00D5C0B56BFA2FB94324F24C5A9DC090B696C33AE85ACBA2
      Function 0065D4D3 Relevance: .1, Instructions: 56COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3022419354.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_65d000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
      • Instruction ID: f7db738bc633ac71a0a726ab0665ee8584e03d79f454a4ac13fd392841de1759
      • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
      • Instruction Fuzzy Hash: EF11DF72404240CFCB16CF00D5C0B56BF72FB94318F2482A9DC090B296C33AD85ACBA1
      Function 0066D017 Relevance: .1, Instructions: 53COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3022485908.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_66d000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
      • Instruction ID: 51766627eebf27d0eda19811a6d6b1a435cc398c5f1f18e1d64ddfaa1320ef17
      • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
      • Instruction Fuzzy Hash: 25118E75A04280DFDB15CF14D5C4B55BB62FB84314F24C6AAD8494B756C33AD84ACB61
      Function 0066D1CF Relevance: .1, Instructions: 53COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3022485908.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_66d000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
      • Instruction ID: 65a376ec13e1545c0e708b8207ab9a891cda2585a69eb219fae88db6c8afc06f
      • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
      • Instruction Fuzzy Hash: 2D11BB75A04280DFCB12CF10C5D0B15BBA2FB84314F28C6AAD9494B796C33AD84ACB61
      Function 0066D2CF Relevance: .1, Instructions: 53COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3022485908.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_66d000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
      • Instruction ID: 892d59cdcd697e6ddd922b482c21a37a2c53111e940b2319611bdb07e8d44c8b
      • Opcode Fuzzy Hash: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
      • Instruction Fuzzy Hash: 2011E275A04280DFDB11CF10D5C0B59FB62FB84324F24C6AAD8495B746C33AD80ACBA2
      Function 0065D6E7 Relevance: .0, Instructions: 37COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3022419354.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_65d000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ac10dc347cd732ac61e64b7abce36ca890e5db5b189166c411ce8baaa0e104fb
      • Instruction ID: e7080ade4ad16d14fda86cde9a6a662a29293234e51dba0e353cdd336622ce8a
      • Opcode Fuzzy Hash: ac10dc347cd732ac61e64b7abce36ca890e5db5b189166c411ce8baaa0e104fb
      • Instruction Fuzzy Hash: 20F0FF75600604AF97208F0AD984C63FBADEBC5774715C55AEC494B752C671FC41CAA0
      Function 0065D6D8 Relevance: .0, Instructions: 35COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3022419354.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_65d000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0eca8a44701a133f1030c6ac2fc721fc1c784c86ce95c968e1f4e68010365497
      • Instruction ID: 4b0488fb9881e99f75904e212ac259e63935bd797a9c7243f0fda543f5c49992
      • Opcode Fuzzy Hash: 0eca8a44701a133f1030c6ac2fc721fc1c784c86ce95c968e1f4e68010365497
      • Instruction Fuzzy Hash: E5F03C75104680AFD3258F06C984C63BFB9EF8A7607198489E8854B352C631FC42CB60

      Non-executed Functions

      Function 0077DBD0 Relevance: 1.8, Strings: 1, Instructions: 521COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3022879101.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_770000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID: U
      • API String ID: 0-3372436214
      • Opcode ID: 41eeb4645a5153ff489f7598c7e94f83aa9b47d239e318c2b318d10f99754564
      • Instruction ID: ca6b5c72ab7d898838e15a326d07cfe2f855bb1496f4891815c4c7668e887aa6
      • Opcode Fuzzy Hash: 41eeb4645a5153ff489f7598c7e94f83aa9b47d239e318c2b318d10f99754564
      • Instruction Fuzzy Hash: 0952F5B0602F06CFD724CF28EC881A97BB1FB40354F91C219D6665B2B5D7B8694ACF58
      Function 04948B98 Relevance: .5, Instructions: 528COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3023707851.0000000004940000.00000040.00000800.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4940000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9870705030b3ddd53f751b6c8e942a88158934f32a62f06f4c2bbeeda71ada9d
      • Instruction ID: b0f0e00b2e8842223b0572a17b1a2b41f0cb4b938523618e964755b97ba704ba
      • Opcode Fuzzy Hash: 9870705030b3ddd53f751b6c8e942a88158934f32a62f06f4c2bbeeda71ada9d
      • Instruction Fuzzy Hash: 2D42A338A50219CFD714EF64C898E9DB7B2FF8A304F5181A9E509AB361DB30AD85DF50
      Function 04945F4C Relevance: .5, Instructions: 528COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3023707851.0000000004940000.00000040.00000800.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4940000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0747233100f9a5965ceed38a9b6170719b2777a5446739413cdc499f76771373
      • Instruction ID: d6a63e65bfd95dade956ae247a8200e5fdf23db3787c98b9ee6e0aba21fda4c0
      • Opcode Fuzzy Hash: 0747233100f9a5965ceed38a9b6170719b2777a5446739413cdc499f76771373
      • Instruction Fuzzy Hash: D642A338A50219CFD714EF64C898E9DB7B2FF8A304F5181A9D509AB361DB30AD45DF50
      Function 0077C1B8 Relevance: .3, Instructions: 264COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3022879101.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_770000_NfPIgjwteS.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c66c0ae93a3f373ffbb4fbab1dec51cadef1974b443bd9b0f672b7a1b7d942ae
      • Instruction ID: bb3c2af3f64ad93d2bc495919a48642fa6e6579bfa2e3556cf54b1a7af44cdf3
      • Opcode Fuzzy Hash: c66c0ae93a3f373ffbb4fbab1dec51cadef1974b443bd9b0f672b7a1b7d942ae
      • Instruction Fuzzy Hash: 4EA16432E00219CFCF16DFB4D84459EB7B2FF89340B15856EE909AB222DB75D955CB80