Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report list of P.O.exe

Overview

General Information

Sample Name:list of P.O.exe
Analysis ID:326337
MD5:4bc8c3c14ccfe94a9eea971644f48469
SHA1:36c93a58dd879a3fc56c38297d05a5bcd89ea7e7
SHA256:a2b202778eb54dc48fd49a2f90b7e6619f20c6d0c907d386da68e9c32fbcb68c
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • list of P.O.exe (PID: 7156 cmdline: 'C:\Users\user\Desktop\list of P.O.exe' MD5: 4BC8C3C14CCFE94A9EEA971644F48469)
    • list of P.O.exe (PID: 6224 cmdline: C:\Users\user\Desktop\list of P.O.exe MD5: 4BC8C3C14CCFE94A9EEA971644F48469)
  • newapp.exe (PID: 6516 cmdline: 'C:\Users\user\AppData\Roaming\newapp\newapp.exe' MD5: 4BC8C3C14CCFE94A9EEA971644F48469)
    • newapp.exe (PID: 6816 cmdline: C:\Users\user\AppData\Roaming\newapp\newapp.exe MD5: 4BC8C3C14CCFE94A9EEA971644F48469)
  • newapp.exe (PID: 4972 cmdline: 'C:\Users\user\AppData\Roaming\newapp\newapp.exe' MD5: 4BC8C3C14CCFE94A9EEA971644F48469)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "pPSkmfrJ9hO", "URL: ": "https://WMSJ15tuzJ0HQU3MhtVn.org", "To: ": "alex.zhang@sonoscepa.net", "ByHost: ": "smtp.sonoscepa.net:587", "Password: ": "gqxA9ZbxGmuCi", "From: ": "alex.zhang@sonoscepa.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.753102125.0000000003B09000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000002.928152880.0000000002D21000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000001.00000002.926206822.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.newapp.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.list of P.O.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: list of P.O.exe.6224.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "pPSkmfrJ9hO", "URL: ": "https://WMSJ15tuzJ0HQU3MhtVn.org", "To: ": "alex.zhang@sonoscepa.net", "ByHost: ": "smtp.sonoscepa.net:587", "Password: ": "gqxA9ZbxGmuCi", "From: ": "alex.zhang@sonoscepa.net"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeReversingLabs: Detection: 25%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: list of P.O.exeJoe Sandbox ML: detected
                Source: 1.2.list of P.O.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 8.2.newapp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 4x nop then jmp 04E7AD15h0_2_04E7AC75

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49755 -> 208.91.199.225:587
                Source: global trafficTCP traffic: 192.168.2.4:49755 -> 208.91.199.225:587
                Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                Source: global trafficTCP traffic: 192.168.2.4:49755 -> 208.91.199.225:587
                Source: unknownDNS traffic detected: queries for: smtp.sonoscepa.net
                Source: list of P.O.exe, 00000001.00000002.928152880.0000000002D21000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: list of P.O.exe, 00000001.00000002.928767416.000000000307C000.00000004.00000001.sdmpString found in binary or memory: http://smtp.sonoscepa.net
                Source: list of P.O.exe, 00000001.00000002.928767416.000000000307C000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                Source: newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: http://vkloll.com
                Source: list of P.O.exe, 00000001.00000002.928802698.0000000003086000.00000004.00000001.sdmp, list of P.O.exe, 00000001.00000002.928753365.0000000003076000.00000004.00000001.sdmp, list of P.O.exe, 00000001.00000002.928675437.000000000303D000.00000004.00000001.sdmpString found in binary or memory: https://WMSJ15tuzJ0HQU3MhtVn.org
                Source: newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                Source: list of P.O.exe, 00000000.00000002.669608907.00000000033E9000.00000004.00000001.sdmp, list of P.O.exe, 00000001.00000002.926206822.0000000000402000.00000040.00000001.sdmp, newapp.exe, 00000005.00000002.753102125.0000000003B09000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.926206299.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                Source: list of P.O.exe, 00000001.00000002.928152880.0000000002D21000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                Source: list of P.O.exe, newapp.exe, 00000005.00000002.753102125.0000000003B09000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.926206299.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: list of P.O.exe, 00000001.00000002.928152880.0000000002D21000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                System Summary:

                barindex
                .NET source code contains very large array initializationsShow sources
                Source: 1.2.list of P.O.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE872A713u002d3E8Cu002d484Eu002d94F8u002dC04E52E968DAu007d/u003818D8455u002d59A3u002d4094u002dB9D9u002d312F3F825297.csLarge array initialization: .cctor: array initializer size 11962
                Source: 8.2.newapp.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE872A713u002d3E8Cu002d484Eu002d94F8u002dC04E52E968DAu007d/u003818D8455u002d59A3u002d4094u002dB9D9u002d312F3F825297.csLarge array initialization: .cctor: array initializer size 11962
                .NET source code contains very large stringsShow sources
                Source: list of P.O.exe, MainModule.csLong String: Length: 81136
                Source: 0.0.list of P.O.exe.10000.0.unpack, MainModule.csLong String: Length: 81136
                Source: 0.2.list of P.O.exe.10000.0.unpack, MainModule.csLong String: Length: 81136
                Source: newapp.exe.1.dr, MainModule.csLong String: Length: 81136
                Source: 1.0.list of P.O.exe.850000.0.unpack, MainModule.csLong String: Length: 81136
                Source: 1.2.list of P.O.exe.850000.1.unpack, MainModule.csLong String: Length: 81136
                Source: 5.2.newapp.exe.670000.0.unpack, MainModule.csLong String: Length: 81136
                Source: 5.0.newapp.exe.670000.0.unpack, MainModule.csLong String: Length: 81136
                Source: 8.2.newapp.exe.4d0000.1.unpack, MainModule.csLong String: Length: 81136
                Source: 8.0.newapp.exe.4d0000.0.unpack, MainModule.csLong String: Length: 81136
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 0_2_00A1A9080_2_00A1A908
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 0_2_00A19A180_2_00A19A18
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 0_2_00A17F700_2_00A17F70
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 0_2_04E777E00_2_04E777E0
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 0_2_04E735FC0_2_04E735FC
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 0_2_04E76E200_2_04E76E20
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 0_2_04E76E130_2_04E76E13
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 0_2_04E777D10_2_04E777D1
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 0_2_000197610_2_00019761
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_004055FC1_2_004055FC
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_011A46A01_2_011A46A0
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_011A461A1_2_011A461A
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_011AD9801_2_011AD980
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_011E48801_2_011E4880
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_011EBA301_2_011EBA30
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_011E6E241_2_011E6E24
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_011E92581_2_011E9258
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_011E00401_2_011E0040
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_012530401_2_01253040
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_012592E81_2_012592E8
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_0125462C1_2_0125462C
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_008597611_2_00859761
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 5_2_0294A9085_2_0294A908
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 5_2_02947F705_2_02947F70
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 5_2_02949CF05_2_02949CF0
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 5_2_02946BC75_2_02946BC7
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 5_2_006797615_2_00679761
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_026546A08_2_026546A0
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_026545B08_2_026545B0
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_0265D9808_2_0265D980
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_004D97618_2_004D9761
                Source: list of P.O.exe, 00000000.00000002.674920597.0000000026280000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNT1.dll, vs list of P.O.exe
                Source: list of P.O.exe, 00000000.00000000.661062926.00000000000B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDictionaryNode.exe@ vs list of P.O.exe
                Source: list of P.O.exe, 00000000.00000002.669608907.00000000033E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGlaxoSmithKline.dll@ vs list of P.O.exe
                Source: list of P.O.exe, 00000000.00000002.669608907.00000000033E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameXZWRRXtkFEFbKFPTrQkenPzvprcODpESzrmrVO.exe4 vs list of P.O.exe
                Source: list of P.O.exeBinary or memory string: OriginalFilename vs list of P.O.exe
                Source: list of P.O.exe, 00000001.00000002.927586303.0000000001200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs list of P.O.exe
                Source: list of P.O.exe, 00000001.00000002.926206822.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameXZWRRXtkFEFbKFPTrQkenPzvprcODpESzrmrVO.exe4 vs list of P.O.exe
                Source: list of P.O.exe, 00000001.00000000.667728980.00000000008F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDictionaryNode.exe@ vs list of P.O.exe
                Source: list of P.O.exe, 00000001.00000002.926535911.0000000000CF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs list of P.O.exe
                Source: list of P.O.exe, 00000001.00000002.932653118.0000000005FC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs list of P.O.exe
                Source: list of P.O.exeBinary or memory string: OriginalFilenameDictionaryNode.exe@ vs list of P.O.exe
                Source: list of P.O.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: newapp.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 1.2.list of P.O.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 1.2.list of P.O.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 8.2.newapp.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 8.2.newapp.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/4@2/1
                Source: C:\Users\user\Desktop\list of P.O.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\list of P.O.exe.logJump to behavior
                Source: list of P.O.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\list of P.O.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\list of P.O.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\list of P.O.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeFile read: C:\Users\user\Desktop\list of P.O.exe:Zone.IdentifierJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\list of P.O.exe 'C:\Users\user\Desktop\list of P.O.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\list of P.O.exe C:\Users\user\Desktop\list of P.O.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
                Source: C:\Users\user\Desktop\list of P.O.exeProcess created: C:\Users\user\Desktop\list of P.O.exe C:\Users\user\Desktop\list of P.O.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: list of P.O.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: list of P.O.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_00FBE38A push eax; ret 1_2_00FBE349
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_00FBD95C push eax; ret 1_2_00FBD95D
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_00FBE332 push eax; ret 1_2_00FBE349
                Source: C:\Users\user\Desktop\list of P.O.exeCode function: 1_2_011EB250 pushfd ; retf 1_2_011EB251
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 5_2_0294003C push eax; iretd 5_2_0294004A
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 5_2_02941C97 push ebx; iretd 5_2_02941CA6
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_00B3D95C push eax; ret 8_2_00B3D95D
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 8_2_00B3E348 push eax; ret 8_2_00B3E349
                Source: initial sampleStatic PE information: section name: .text entropy: 6.95700056065
                Source: initial sampleStatic PE information: section name: .text entropy: 6.95700056065
                Source: C:\Users\user\Desktop\list of P.O.exeFile created: C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to dropped file
                Source: C:\Users\user\Desktop\list of P.O.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newappJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newappJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\list of P.O.exeFile opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Yara detected AntiVM_3Show sources
                Source: Yara matchFile source: 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.669167585.00000000023E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: list of P.O.exe PID: 7156, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 6516, type: MEMORY
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\list of P.O.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\list of P.O.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: list of P.O.exe, 00000000.00000002.669167585.00000000023E1000.00000004.00000001.sdmp, newapp.exe, 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                Source: list of P.O.exe, 00000000.00000002.669167585.00000000023E1000.00000004.00000001.sdmp, newapp.exe, 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                Source: C:\Users\user\Desktop\list of P.O.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeWindow / User API: threadDelayed 1373Jump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeWindow / User API: threadDelayed 8470Jump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWindow / User API: threadDelayed 3821Jump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWindow / User API: threadDelayed 6002Jump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exe TID: 7160Thread sleep time: -53447s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exe TID: 5744Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exe TID: 3980Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exe TID: 4420Thread sleep count: 1373 > 30Jump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exe TID: 4420Thread sleep count: 8470 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 6524Thread sleep time: -49943s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 6632Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 4600Thread sleep count: 37 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 4600Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1504Thread sleep count: 3821 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1504Thread sleep count: 6002 > 30Jump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\list of P.O.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: newapp.exe, 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: newapp.exe, 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmpBinary or memory string: vmware
                Source: newapp.exe, 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                Source: newapp.exe, 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                Source: C:\Users\user\Desktop\list of P.O.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\list of P.O.exeMemory written: C:\Users\user\Desktop\list of P.O.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeProcess created: C:\Users\user\Desktop\list of P.O.exe C:\Users\user\Desktop\list of P.O.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to behavior
                Source: list of P.O.exe, 00000001.00000002.927738084.0000000001660000.00000002.00000001.sdmp, newapp.exe, 00000008.00000002.927326149.0000000001240000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: list of P.O.exe, 00000001.00000002.927738084.0000000001660000.00000002.00000001.sdmp, newapp.exe, 00000008.00000002.927326149.0000000001240000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: list of P.O.exe, 00000001.00000002.927738084.0000000001660000.00000002.00000001.sdmp, newapp.exe, 00000008.00000002.927326149.0000000001240000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: list of P.O.exe, 00000001.00000002.927738084.0000000001660000.00000002.00000001.sdmp, newapp.exe, 00000008.00000002.927326149.0000000001240000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Users\user\Desktop\list of P.O.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Users\user\Desktop\list of P.O.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000005.00000002.753102125.0000000003B09000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.926206822.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.926206299.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.669608907.00000000033E9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 6816, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: list of P.O.exe PID: 7156, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 6516, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: list of P.O.exe PID: 6224, type: MEMORY
                Source: Yara matchFile source: 8.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.list of P.O.exe.400000.0.unpack, type: UNPACKEDPE
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\list of P.O.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\list of P.O.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\list of P.O.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\Desktop\list of P.O.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\Desktop\list of P.O.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: Yara matchFile source: 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.928152880.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 6816, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: list of P.O.exe PID: 6224, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000005.00000002.753102125.0000000003B09000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.926206822.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.926206299.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.669608907.00000000033E9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 6816, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: list of P.O.exe PID: 7156, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: newapp.exe PID: 6516, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: list of P.O.exe PID: 6224, type: MEMORY
                Source: Yara matchFile source: 8.2.newapp.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.list of P.O.exe.400000.0.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection112Disable or Modify Tools1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Deobfuscate/Decode Files or Information1Credentials in Registry1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerSecurity Software Discovery311SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSVirtualization/Sandbox Evasion13Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion13Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 326337 Sample: list of P.O.exe Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Yara detected AgentTesla 2->43 45 7 other signatures 2->45 6 list of P.O.exe 1 2->6         started        10 newapp.exe 1 2->10         started        12 newapp.exe 2->12         started        process3 file4 21 C:\Users\user\AppData\...\list of P.O.exe.log, ASCII 6->21 dropped 47 Injects a PE file into a foreign processes 6->47 14 list of P.O.exe 2 5 6->14         started        49 Multi AV Scanner detection for dropped file 10->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->51 53 Machine Learning detection for dropped file 10->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->55 19 newapp.exe 2 10->19         started        signatures5 process6 dnsIp7 27 smtp.sonoscepa.net 14->27 29 us2.smtp.mailhostbox.com 208.91.199.225, 49755, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->29 23 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 14->23 dropped 25 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 14->25 dropped 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->31 33 Tries to steal Mail credentials (via file access) 14->33 35 Tries to harvest and steal ftp login credentials 14->35 37 2 other signatures 14->37 file8 signatures9

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                list of P.O.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\newapp\newapp.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\newapp\newapp.exe25%ReversingLabsByteCode-MSIL.Trojan.Wacatac

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                1.2.list of P.O.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                8.2.newapp.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                smtp.sonoscepa.net0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://smtp.sonoscepa.net0%VirustotalBrowse
                http://smtp.sonoscepa.net0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://vkloll.com0%Avira URL Cloudsafe
                https://WMSJ15tuzJ0HQU3MhtVn.org0%Avira URL Cloudsafe
                https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                us2.smtp.mailhostbox.com
                		208.91.199.225
                		truefalse
                  		high
                  smtp.sonoscepa.net
                  		unknown
                  		unknowntrueunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1list of P.O.exe, 00000001.00000002.928152880.0000000002D21000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://DynDns.comDynDNSnewapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://smtp.sonoscepa.netlist of P.O.exe, 00000001.00000002.928767416.000000000307C000.00000004.00000001.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://us2.smtp.mailhostbox.comlist of P.O.exe, 00000001.00000002.928767416.000000000307C000.00000004.00000001.sdmpfalse
                    		high
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%halist of P.O.exe, 00000001.00000002.928152880.0000000002D21000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://api.telegram.org/bot%telegramapi%/list of P.O.exe, 00000000.00000002.669608907.00000000033E9000.00000004.00000001.sdmp, list of P.O.exe, 00000001.00000002.926206822.0000000000402000.00000040.00000001.sdmp, newapp.exe, 00000005.00000002.753102125.0000000003B09000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.926206299.0000000000402000.00000040.00000001.sdmpfalse
                      		high
                      https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xlist of P.O.exe, 00000001.00000002.928152880.0000000002D21000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpfalse
                        		high
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziplist of P.O.exe, newapp.exe, 00000005.00000002.753102125.0000000003B09000.00000004.00000001.sdmp, newapp.exe, 00000008.00000002.926206299.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://vkloll.comnewapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://WMSJ15tuzJ0HQU3MhtVn.orglist of P.O.exe, 00000001.00000002.928802698.0000000003086000.00000004.00000001.sdmp, list of P.O.exe, 00000001.00000002.928753365.0000000003076000.00000004.00000001.sdmp, list of P.O.exe, 00000001.00000002.928675437.000000000303D000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ipify.orgGETMozilla/5.0newapp.exe, 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        208.91.199.225
                        		unknownUnited States
                        		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                        General Information

                        Joe Sandbox Version:31.0.0 Red Diamond
                        Analysis ID:326337
                        Start date:03.12.2020
                        Start time:10:04:15
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 11m 36s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:list of P.O.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:15
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@7/4@2/1
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 0.5% (good quality ratio 0.5%)
                        • Quality average: 55%
                        • Quality standard deviation: 21.9%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 77
                        • Number of non-executed functions: 7
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 104.43.193.48, 51.104.139.180, 40.88.32.150, 52.155.217.156, 2.20.142.210, 2.20.142.209, 20.54.26.129, 92.122.213.247, 92.122.213.194, 168.61.161.212
                        • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        10:05:12API Interceptor805x Sleep call for process: list of P.O.exe modified
                        10:05:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
                        10:05:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
                        10:05:48API Interceptor538x Sleep call for process: newapp.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        208.91.199.225Scan0202.exeGet hashmaliciousBrowse
                          F9g721I4sS.rtfGet hashmaliciousBrowse
                            Payment advise_pdf__________________________________.exeGet hashmaliciousBrowse
                              New Order.xlsxGet hashmaliciousBrowse
                                Invoice.xlsxGet hashmaliciousBrowse
                                  TT receipt.xlsxGet hashmaliciousBrowse
                                    Payment.exeGet hashmaliciousBrowse
                                      Update Account.exeGet hashmaliciousBrowse
                                        RFQ-272021.exeGet hashmaliciousBrowse
                                          SecuriteInfo.com.BehavesLike.Win32.Generic.bc.exeGet hashmaliciousBrowse
                                            qvI6l0RoMB.exeGet hashmaliciousBrowse
                                              aguerox.exeGet hashmaliciousBrowse
                                                dchampfrndx.exeGet hashmaliciousBrowse
                                                  dchamp.exeGet hashmaliciousBrowse
                                                    New shipment.exeGet hashmaliciousBrowse
                                                      MIC Taiwan RFQ.docGet hashmaliciousBrowse
                                                        SecuriteInfo.com.BackDoor.SpyBotNET.25.28952.exeGet hashmaliciousBrowse
                                                          Inquiry.xlsxGet hashmaliciousBrowse
                                                            Shipping DOC_PDF.exeGet hashmaliciousBrowse
                                                              mcsrXx9lfD.exeGet hashmaliciousBrowse

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                us2.smtp.mailhostbox.comNew Inquiry015 02-12-2020.exeGet hashmaliciousBrowse
                                                                • 208.91.198.143
                                                                New Order Inquiry.PDF.exeGet hashmaliciousBrowse
                                                                • 208.91.198.143
                                                                Salary_PMT.exeGet hashmaliciousBrowse
                                                                • 208.91.199.224
                                                                Swift Copy.exeGet hashmaliciousBrowse
                                                                • 208.91.198.143
                                                                Scan0202.exeGet hashmaliciousBrowse
                                                                • 208.91.199.225
                                                                F9g721I4sS.rtfGet hashmaliciousBrowse
                                                                • 208.91.199.224
                                                                Payment advise_pdf__________________________________.exeGet hashmaliciousBrowse
                                                                • 208.91.199.225
                                                                Fagner Order_pdf.exeGet hashmaliciousBrowse
                                                                • 208.91.199.223
                                                                PO-789906504.exeGet hashmaliciousBrowse
                                                                • 208.91.199.224
                                                                Al Jaber Dubai.exeGet hashmaliciousBrowse
                                                                • 208.91.199.223
                                                                SecuriteInfo.com.Generic.mg.bcffd84bcd9111df.exeGet hashmaliciousBrowse
                                                                • 208.91.199.224
                                                                SecuriteInfo.com.Generic.mg.db37503e0e66b5c4.exeGet hashmaliciousBrowse
                                                                • 208.91.199.224
                                                                New Order.xlsxGet hashmaliciousBrowse
                                                                • 208.91.199.225
                                                                vbc.exeGet hashmaliciousBrowse
                                                                • 208.91.199.223
                                                                SecuriteInfo.com.Generic.mg.0944e0c972d02445.exeGet hashmaliciousBrowse
                                                                • 208.91.198.143
                                                                inquiry.xlsxGet hashmaliciousBrowse
                                                                • 208.91.199.224
                                                                vbc.exeGet hashmaliciousBrowse
                                                                • 208.91.199.223
                                                                Invoice.xlsxGet hashmaliciousBrowse
                                                                • 208.91.199.224
                                                                Purchase Order 1508521.xlsxGet hashmaliciousBrowse
                                                                • 208.91.199.223
                                                                Purchase Order 1508521.xlsxGet hashmaliciousBrowse
                                                                • 208.91.199.224

                                                                ASN

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                PUBLIC-DOMAIN-REGISTRYUSNew Inquiry015 02-12-2020.exeGet hashmaliciousBrowse
                                                                • 208.91.198.143
                                                                New Order Inquiry.PDF.exeGet hashmaliciousBrowse
                                                                • 208.91.198.143
                                                                Salary_PMT.exeGet hashmaliciousBrowse
                                                                • 208.91.199.224
                                                                Swift Copy.exeGet hashmaliciousBrowse
                                                                • 208.91.198.143
                                                                Scan0202.exeGet hashmaliciousBrowse
                                                                • 208.91.199.225
                                                                F9g721I4sS.rtfGet hashmaliciousBrowse
                                                                • 208.91.199.225
                                                                Payment advise_pdf__________________________________.exeGet hashmaliciousBrowse
                                                                • 208.91.199.225
                                                                Fagner Order_pdf.exeGet hashmaliciousBrowse
                                                                • 208.91.199.224
                                                                PO-789906504.exeGet hashmaliciousBrowse
                                                                • 208.91.199.224
                                                                Al Jaber Dubai.exeGet hashmaliciousBrowse
                                                                • 208.91.199.223
                                                                AddressValidateForm-490710598-12022020.xlsGet hashmaliciousBrowse
                                                                • 103.195.185.149
                                                                AddressValidateForm-490710598-12022020.xlsGet hashmaliciousBrowse
                                                                • 103.195.185.149
                                                                https://dynalist.io/d/TcKkPvWijzGN4uv-0OCmM26AGet hashmaliciousBrowse
                                                                • 199.79.62.144
                                                                https://www.paperturn-view.com/?pid=MTI128610Get hashmaliciousBrowse
                                                                • 199.79.62.243
                                                                r.dllGet hashmaliciousBrowse
                                                                • 103.53.40.79
                                                                SecuriteInfo.com.Generic.mg.bcffd84bcd9111df.exeGet hashmaliciousBrowse
                                                                • 208.91.199.224
                                                                SecuriteInfo.com.Generic.mg.db37503e0e66b5c4.exeGet hashmaliciousBrowse
                                                                • 208.91.199.224
                                                                New Order.xlsxGet hashmaliciousBrowse
                                                                • 208.91.199.225
                                                                vbc.exeGet hashmaliciousBrowse
                                                                • 208.91.199.223
                                                                SecuriteInfo.com.Generic.mg.0944e0c972d02445.exeGet hashmaliciousBrowse
                                                                • 208.91.198.143

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\list of P.O.exe.log
                                                                Process:C:\Users\user\Desktop\list of P.O.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):792
                                                                Entropy (8bit):5.331449916613832
                                                                Encrypted:false
                                                                SSDEEP:24:MLKE4K5E4Ks29E4Kx1qE4x84qXKDE4KhK3VZ9pKhk:MuHK5HKX9HKx1qHxviYHKhQnok
                                                                MD5:48C35637F4E5AE32A768BDF159A4B32E
                                                                SHA1:C27B5E37426D6496AF195A39B7882DF50341EE4A
                                                                SHA-256:43567270C0C1C1BCD458595B138034B2A6F6DC4B2DFFA475AE7D629BE4C93BD2
                                                                SHA-512:B4E98A592CC5EDB8E3379283756A01B7712922748BF4FC19E41B1205DD404367C11357BB17824419A2C4B2CE007BEAA55EBA97F602BC5B361EABC222CBC0374D
                                                                Malicious:true
                                                                Reputation:moderate, very likely benign file
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log
                                                                Process:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):792
                                                                Entropy (8bit):5.331449916613832
                                                                Encrypted:false
                                                                SSDEEP:24:MLKE4K5E4Ks29E4Kx1qE4x84qXKDE4KhK3VZ9pKhk:MuHK5HKX9HKx1qHxviYHKhQnok
                                                                MD5:48C35637F4E5AE32A768BDF159A4B32E
                                                                SHA1:C27B5E37426D6496AF195A39B7882DF50341EE4A
                                                                SHA-256:43567270C0C1C1BCD458595B138034B2A6F6DC4B2DFFA475AE7D629BE4C93BD2
                                                                SHA-512:B4E98A592CC5EDB8E3379283756A01B7712922748BF4FC19E41B1205DD404367C11357BB17824419A2C4B2CE007BEAA55EBA97F602BC5B361EABC222CBC0374D
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                                C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                Process:C:\Users\user\Desktop\list of P.O.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):650752
                                                                Entropy (8bit):6.9475266013442045
                                                                Encrypted:false
                                                                SSDEEP:12288:zBfDf1gZ9WN2qPVGNbTuMuKBD7hpvA2invDMWS40VxaqCwsyt+mwdB5hw7V9nf:zVPST0sDd9eFEAnny0mws7
                                                                MD5:4BC8C3C14CCFE94A9EEA971644F48469
                                                                SHA1:36C93A58DD879A3FC56C38297D05A5BCD89EA7E7
                                                                SHA-256:A2B202778EB54DC48FD49A2F90B7E6619F20C6D0C907D386DA68E9C32FBCB68C
                                                                SHA-512:DEE37A8E367C30A4BAE568D6CCF0B32E21F697B97A631CDA9B0EEA8B90F32DCC1E677EB666F1EB08D26146F68A6B696705C741BB2EBC5CF6E65EBE19D955247D
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 25%
                                                                Reputation:low
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#._..............P.............~.... ... ....@.. .......................`............@.................................,...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................`.......H........`...i...............8............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r5..p~....o-...(......t$....+..*Vs....(/...t.........*..(0...*.0..........
                                                                C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier
                                                                Process:C:\Users\user\Desktop\list of P.O.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Reputation:high, very likely benign file
                                                                Preview: [ZoneTransfer]....ZoneId=0

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):6.9475266013442045
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                File name:list of P.O.exe
                                                                File size:650752
                                                                MD5:4bc8c3c14ccfe94a9eea971644f48469
                                                                SHA1:36c93a58dd879a3fc56c38297d05a5bcd89ea7e7
                                                                SHA256:a2b202778eb54dc48fd49a2f90b7e6619f20c6d0c907d386da68e9c32fbcb68c
                                                                SHA512:dee37a8e367c30a4bae568d6ccf0b32e21f697b97a631cda9b0eea8b90f32dcc1e677eb666f1eb08d26146f68a6b696705c741bb2ebc5cf6e65ebe19d955247d
                                                                SSDEEP:12288:zBfDf1gZ9WN2qPVGNbTuMuKBD7hpvA2invDMWS40VxaqCwsyt+mwdB5hw7V9nf:zVPST0sDd9eFEAnny0mws7
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#._..............P.............~.... ... ....@.. .......................`............@................................

                                                                File Icon

                                                                Icon Hash:00828e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4a027e
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                Time Stamp:0x5FC8238A [Wed Dec 2 23:30:18 2020 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:v4.0.30319
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa022c0x4f.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x5dc.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xa40000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x9e2840x9e400False0.703148141291data6.95700056065IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rsrc0xa20000x5dc0x600False0.426432291667data4.15897577483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xa40000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_VERSION0xa20900x34cdata
                                                                RT_MANIFEST0xa23ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Version Infos

                                                                DescriptionData
                                                                Translation0x0000 0x04b0
                                                                LegalCopyrightCopyright 2011
                                                                Assembly Version1.0.0.0
                                                                InternalNameDictionaryNode.exe
                                                                FileVersion1.0.0.0
                                                                CompanyName
                                                                LegalTrademarks
                                                                Comments
                                                                ProductNameLoginWindowsApp
                                                                ProductVersion1.0.0.0
                                                                FileDescriptionLoginWindowsApp
                                                                OriginalFilenameDictionaryNode.exe

                                                                Network Behavior

                                                                Snort IDS Alerts

                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                12/03/20-10:06:55.130495TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49755587192.168.2.4208.91.199.225

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 3, 2020 10:06:53.541992903 CET49755587192.168.2.4208.91.199.225
                                                                Dec 3, 2020 10:06:53.691517115 CET58749755208.91.199.225192.168.2.4
                                                                Dec 3, 2020 10:06:53.691674948 CET49755587192.168.2.4208.91.199.225
                                                                Dec 3, 2020 10:06:54.209743977 CET58749755208.91.199.225192.168.2.4
                                                                Dec 3, 2020 10:06:54.210197926 CET49755587192.168.2.4208.91.199.225
                                                                Dec 3, 2020 10:06:54.359502077 CET58749755208.91.199.225192.168.2.4
                                                                Dec 3, 2020 10:06:54.359529972 CET58749755208.91.199.225192.168.2.4
                                                                Dec 3, 2020 10:06:54.360852003 CET49755587192.168.2.4208.91.199.225
                                                                Dec 3, 2020 10:06:54.510858059 CET58749755208.91.199.225192.168.2.4
                                                                Dec 3, 2020 10:06:54.511495113 CET49755587192.168.2.4208.91.199.225
                                                                Dec 3, 2020 10:06:54.663302898 CET58749755208.91.199.225192.168.2.4
                                                                Dec 3, 2020 10:06:54.664274931 CET49755587192.168.2.4208.91.199.225
                                                                Dec 3, 2020 10:06:54.814652920 CET58749755208.91.199.225192.168.2.4
                                                                Dec 3, 2020 10:06:54.817707062 CET49755587192.168.2.4208.91.199.225
                                                                Dec 3, 2020 10:06:54.975519896 CET58749755208.91.199.225192.168.2.4
                                                                Dec 3, 2020 10:06:54.975816011 CET49755587192.168.2.4208.91.199.225
                                                                Dec 3, 2020 10:06:55.125483990 CET58749755208.91.199.225192.168.2.4
                                                                Dec 3, 2020 10:06:55.130495071 CET49755587192.168.2.4208.91.199.225
                                                                Dec 3, 2020 10:06:55.130774975 CET49755587192.168.2.4208.91.199.225
                                                                Dec 3, 2020 10:06:55.131490946 CET49755587192.168.2.4208.91.199.225
                                                                Dec 3, 2020 10:06:55.131561995 CET49755587192.168.2.4208.91.199.225
                                                                Dec 3, 2020 10:06:55.280059099 CET58749755208.91.199.225192.168.2.4
                                                                Dec 3, 2020 10:06:55.280772924 CET58749755208.91.199.225192.168.2.4
                                                                Dec 3, 2020 10:06:55.392534018 CET58749755208.91.199.225192.168.2.4
                                                                Dec 3, 2020 10:06:55.446288109 CET49755587192.168.2.4208.91.199.225

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 3, 2020 10:05:29.946433067 CET4925753192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:29.982129097 CET53492578.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:30.807250977 CET6238953192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:30.834280968 CET53623898.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:31.029256105 CET4991053192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:31.056555033 CET53499108.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:31.601881027 CET5585453192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:31.629007101 CET53558548.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:32.513299942 CET6454953192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:32.540298939 CET53645498.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:51.748588085 CET6315353192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:51.784224033 CET53631538.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:52.485482931 CET5299153192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:52.520925045 CET53529918.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:53.208003998 CET5370053192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:53.245230913 CET53537008.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:53.323091030 CET5172653192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:53.358387947 CET53517268.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:53.913110971 CET5679453192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:53.953476906 CET53567948.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:54.396658897 CET5653453192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:54.492934942 CET53565348.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:54.990587950 CET5662753192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:55.025863886 CET53566278.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:55.533962011 CET5662153192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:55.569493055 CET53566218.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:55.952414989 CET6311653192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:55.995779991 CET53631168.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:56.534075022 CET6407853192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:56.569401026 CET53640788.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:57.281593084 CET6480153192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:57.322081089 CET53648018.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:05:57.756759882 CET6172153192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:05:57.783782005 CET53617218.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:06:10.953772068 CET5125553192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:06:10.990626097 CET53512558.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:06:37.890407085 CET6152253192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:06:37.917579889 CET53615228.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:06:38.953031063 CET5233753192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:06:38.980031967 CET53523378.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:06:43.984344006 CET5504653192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:06:44.011482000 CET53550468.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:06:46.188503981 CET4961253192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:06:46.232362986 CET53496128.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:06:53.194719076 CET4928553192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:06:53.360893965 CET53492858.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:06:53.380086899 CET5060153192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:06:53.415900946 CET53506018.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:07:09.929637909 CET6087553192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:07:09.956590891 CET53608758.8.8.8192.168.2.4
                                                                Dec 3, 2020 10:07:10.742408037 CET5644853192.168.2.48.8.8.8
                                                                Dec 3, 2020 10:07:10.769412041 CET53564488.8.8.8192.168.2.4

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                Dec 3, 2020 10:06:53.194719076 CET192.168.2.48.8.8.80x9cbbStandard query (0)smtp.sonoscepa.netA (IP address)IN (0x0001)
                                                                Dec 3, 2020 10:06:53.380086899 CET192.168.2.48.8.8.80x2d80Standard query (0)smtp.sonoscepa.netA (IP address)IN (0x0001)

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Dec 3, 2020 10:06:53.360893965 CET8.8.8.8192.168.2.40x9cbbNo error (0)smtp.sonoscepa.netus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                Dec 3, 2020 10:06:53.360893965 CET8.8.8.8192.168.2.40x9cbbNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                Dec 3, 2020 10:06:53.360893965 CET8.8.8.8192.168.2.40x9cbbNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                Dec 3, 2020 10:06:53.360893965 CET8.8.8.8192.168.2.40x9cbbNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                Dec 3, 2020 10:06:53.360893965 CET8.8.8.8192.168.2.40x9cbbNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                Dec 3, 2020 10:06:53.415900946 CET8.8.8.8192.168.2.40x2d80No error (0)smtp.sonoscepa.netus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                Dec 3, 2020 10:06:53.415900946 CET8.8.8.8192.168.2.40x2d80No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                Dec 3, 2020 10:06:53.415900946 CET8.8.8.8192.168.2.40x2d80No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                Dec 3, 2020 10:06:53.415900946 CET8.8.8.8192.168.2.40x2d80No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                Dec 3, 2020 10:06:53.415900946 CET8.8.8.8192.168.2.40x2d80No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)

                                                                SMTP Packets

                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                Dec 3, 2020 10:06:54.209743977 CET58749755208.91.199.225192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                Dec 3, 2020 10:06:54.210197926 CET49755587192.168.2.4208.91.199.225EHLO 428040
                                                                Dec 3, 2020 10:06:54.359529972 CET58749755208.91.199.225192.168.2.4250-us2.outbound.mailhostbox.com
                                                                250-PIPELINING
                                                                250-SIZE 41648128
                                                                250-VRFY
                                                                250-ETRN
                                                                250-STARTTLS
                                                                250-AUTH PLAIN LOGIN
                                                                250-AUTH=PLAIN LOGIN
                                                                250-ENHANCEDSTATUSCODES
                                                                250-8BITMIME
                                                                250 DSN
                                                                Dec 3, 2020 10:06:54.360852003 CET49755587192.168.2.4208.91.199.225AUTH login YWxleC56aGFuZ0Bzb25vc2NlcGEubmV0
                                                                Dec 3, 2020 10:06:54.510858059 CET58749755208.91.199.225192.168.2.4334 UGFzc3dvcmQ6
                                                                Dec 3, 2020 10:06:54.663302898 CET58749755208.91.199.225192.168.2.4235 2.7.0 Authentication successful
                                                                Dec 3, 2020 10:06:54.664274931 CET49755587192.168.2.4208.91.199.225MAIL FROM:<alex.zhang@sonoscepa.net>
                                                                Dec 3, 2020 10:06:54.814652920 CET58749755208.91.199.225192.168.2.4250 2.1.0 Ok
                                                                Dec 3, 2020 10:06:54.817707062 CET49755587192.168.2.4208.91.199.225RCPT TO:<alex.zhang@sonoscepa.net>
                                                                Dec 3, 2020 10:06:54.975519896 CET58749755208.91.199.225192.168.2.4250 2.1.5 Ok
                                                                Dec 3, 2020 10:06:54.975816011 CET49755587192.168.2.4208.91.199.225DATA
                                                                Dec 3, 2020 10:06:55.125483990 CET58749755208.91.199.225192.168.2.4354 End data with <CR><LF>.<CR><LF>
                                                                Dec 3, 2020 10:06:55.131561995 CET49755587192.168.2.4208.91.199.225.
                                                                Dec 3, 2020 10:06:55.392534018 CET58749755208.91.199.225192.168.2.4250 2.0.0 Ok: queued as DB527D5CFE

                                                                Code Manipulations

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: list of P.O.exe PID: 7156 Parent PID: 5852

                                                                General

                                                                Start time:10:05:09
                                                                Start date:03/12/2020
                                                                Path:C:\Users\user\Desktop\list of P.O.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\list of P.O.exe'
                                                                Imagebase:0x10000
                                                                File size:650752 bytes
                                                                MD5 hash:4BC8C3C14CCFE94A9EEA971644F48469
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.669167585.00000000023E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.669608907.00000000033E9000.00000004.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: list of P.O.exe PID: 6224 Parent PID: 7156

                                                                General

                                                                Start time:10:05:12
                                                                Start date:03/12/2020
                                                                Path:C:\Users\user\Desktop\list of P.O.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\Desktop\list of P.O.exe
                                                                Imagebase:0x850000
                                                                File size:650752 bytes
                                                                MD5 hash:4BC8C3C14CCFE94A9EEA971644F48469
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.928152880.0000000002D21000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.926206822.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: newapp.exe PID: 6516 Parent PID: 3424

                                                                General

                                                                Start time:10:05:43
                                                                Start date:03/12/2020
                                                                Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
                                                                Imagebase:0x670000
                                                                File size:650752 bytes
                                                                MD5 hash:4BC8C3C14CCFE94A9EEA971644F48469
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.753102125.0000000003B09000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.752268135.0000000002B01000.00000004.00000001.sdmp, Author: Joe Security
                                                                Antivirus matches:
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 25%, ReversingLabs
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: newapp.exe PID: 6816 Parent PID: 6516

                                                                General

                                                                Start time:10:05:49
                                                                Start date:03/12/2020
                                                                Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                Imagebase:0x4d0000
                                                                File size:650752 bytes
                                                                MD5 hash:4BC8C3C14CCFE94A9EEA971644F48469
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.927566603.00000000027D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.926206299.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: newapp.exe PID: 4972 Parent PID: 3424

                                                                General

                                                                Start time:10:05:51
                                                                Start date:03/12/2020
                                                                Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
                                                                Imagebase:0xca0000
                                                                File size:650752 bytes
                                                                MD5 hash:4BC8C3C14CCFE94A9EEA971644F48469
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:low

                                                                Chronological Activities

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >

                                                                  Analysis Process: list of P.O.exe PID: 7156 Parent PID: 5852 list of P.O.exeCOMMON

                                                                  Executed Functions

                                                                  Function 00A19A18, Relevance: 1.2, Instructions: 1205COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.668944657.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a4f085d5dadd23286145bdfc0477b08e1666a7c3773f9fdbe574d00add2746fb
                                                                  • Instruction ID: 10a4d3807600d7b7e26be9087fecaa797f6e0f79096a47cf6bd998b41f62856e
                                                                  • Opcode Fuzzy Hash: a4f085d5dadd23286145bdfc0477b08e1666a7c3773f9fdbe574d00add2746fb
                                                                  • Instruction Fuzzy Hash: 75A26B70A012198FCB14CF69C894AAEBBF2EF98344F158469E805DB3A1DB35DC85CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A1A908, Relevance: 1.0, Instructions: 973COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.668944657.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e2b03efc86c31f9d1627b20288f1c6fa24f8501a228d2430e448b9c8e3c30084
                                                                  • Instruction ID: 46849e3a0c218e6ac1de8a8bbbce1c90914b985f109fb7c618526d6bc3ceacb1
                                                                  • Opcode Fuzzy Hash: e2b03efc86c31f9d1627b20288f1c6fa24f8501a228d2430e448b9c8e3c30084
                                                                  • Instruction Fuzzy Hash: E3923730A00609DFCB15CF69D584AEEBBF2FF98315F158559E8199B2A1D730EC81CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A17F70, Relevance: .5, Instructions: 457COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.668944657.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 67209420238e29ec1bb1142a2ef3cbb974eea3f6503dc2b51faa715151603861
                                                                  • Instruction ID: 676704ce9ab4d37d251e883171b3034935c7f862ab910b21044128ff8397ede0
                                                                  • Opcode Fuzzy Hash: 67209420238e29ec1bb1142a2ef3cbb974eea3f6503dc2b51faa715151603861
                                                                  • Instruction Fuzzy Hash: 3D22D174E002688FDB64DFA9C940BDEBBF2AF89300F1580A9D509AB365DB345E85CF51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E777E0, Relevance: .2, Instructions: 222COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e5e790bfbbf3bbe2c8a10c826d4c3373325b5a13964081ea7808b9b8af01ba93
                                                                  • Instruction ID: c02c41ebedb19d49f54dc117297b524304a2ee2f2d2c143246da257c35c46dae
                                                                  • Opcode Fuzzy Hash: e5e790bfbbf3bbe2c8a10c826d4c3373325b5a13964081ea7808b9b8af01ba93
                                                                  • Instruction Fuzzy Hash: A1914674E052588BDB04CFE9C5446EEBBF2AF88324F26E125D858AB305E734A941CF50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E777D1, Relevance: .2, Instructions: 175COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a723cf622a2e114705079a6c0edc09f405310f6b17e3d58ed9a3a37ca0e8888
                                                                  • Instruction ID: f302de2137cccaf352528fd46a8191600fc54b49d6962d0eaaa499199e970415
                                                                  • Opcode Fuzzy Hash: 6a723cf622a2e114705079a6c0edc09f405310f6b17e3d58ed9a3a37ca0e8888
                                                                  • Instruction Fuzzy Hash: D8615574E062588FDB00CFA9C5446EEBBF2AF89310F25D06AD848AB315E734A941CF51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E7AC75, Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4d3c129ccfd493cb2d0ea10f1dd63d9dc9400104795c60c96a3c220b9620a9be
                                                                  • Instruction ID: 38f03aa52f4bb77bed8a09f614660ff0640a9d49ca13fbe32fc656045c911f60
                                                                  • Opcode Fuzzy Hash: 4d3c129ccfd493cb2d0ea10f1dd63d9dc9400104795c60c96a3c220b9620a9be
                                                                  • Instruction Fuzzy Hash: EE21BA75902228CFDB60DF64C8887ECBBB1AB09329F0064EAD40DA3250E774ABD5CF45
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E79414, Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04E79656
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: f4b93f2f4bb571d44f3b36d72bf09f226143254948dafcc2130be0ca498bf153
                                                                  • Instruction ID: b55763b677a4657d67808b51f4d05c5c1663524c26d3d8fbf6add6e3c4f838f4
                                                                  • Opcode Fuzzy Hash: f4b93f2f4bb571d44f3b36d72bf09f226143254948dafcc2130be0ca498bf153
                                                                  • Instruction Fuzzy Hash: 50A16E71D00259DFEF20CFA8C8817DEBBB2BF48328F148569E849A7251DB749985CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E79420, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04E79656
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 561712dc483a86fdc06f9f04dc8330b5f548dade49dd2d07ea06fa13869ef355
                                                                  • Instruction ID: 4f02c14f802cc1695b66374448a9cca751f35e7e30dd0a76f2a8b8b0e298d556
                                                                  • Opcode Fuzzy Hash: 561712dc483a86fdc06f9f04dc8330b5f548dade49dd2d07ea06fa13869ef355
                                                                  • Instruction Fuzzy Hash: FF915E71D00259DFEB20CFA4C8817DDBBB2BF48328F148569E809A7251DB749985CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A1612C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 00A178C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.668944657.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: 80299e9b43e7cbcecf9fcb426ca60ffabfeaea92ae78394e88803747778fecf2
                                                                  • Instruction ID: 6bc3b6d4fca3ecb3c0ae871631738e90cbd1d40d23151115594b1d5a76254da2
                                                                  • Opcode Fuzzy Hash: 80299e9b43e7cbcecf9fcb426ca60ffabfeaea92ae78394e88803747778fecf2
                                                                  • Instruction Fuzzy Hash: 8641F371C04618CFDB24DFA9C844BDEBBB1BF48304F20856AD408BB251DBB56989CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A17804, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 00A178C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.668944657.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: bad4749b80c657ea2f4257ba799ad43d57a162ccd582766181675fafe4e8ac17
                                                                  • Instruction ID: 3ff540cf441a7301c1b020e821abb2d75cdbe800e54b516fc062aa5571f872d5
                                                                  • Opcode Fuzzy Hash: bad4749b80c657ea2f4257ba799ad43d57a162ccd582766181675fafe4e8ac17
                                                                  • Instruction Fuzzy Hash: 7A410271C04618CFDB24DFA9C944BDDBBB2BF98304F20856AD408BB250DBB56989CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E79100, Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04E79198
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: c5ff6396f34ecd1dbfe61ae41780578ad42e5fc01d11db80708d7cffe03c2b60
                                                                  • Instruction ID: 025d7578dc0f057357793a7325952bfca9c1725b60670a84aa0f9ed575806076
                                                                  • Opcode Fuzzy Hash: c5ff6396f34ecd1dbfe61ae41780578ad42e5fc01d11db80708d7cffe03c2b60
                                                                  • Instruction Fuzzy Hash: A6216B719003499FDF10CFA9C8457EEBBF4FF48364F05842AE954A7241C778A954CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E78D98, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: 34672c906516f9e0d6f69e3ec444018a16397146933fedf22aa173713d306ee2
                                                                  • Instruction ID: 4e64085903b0107c930be58041bafbe3c46c28f5bde2ceb08ba8c4fd54315af2
                                                                  • Opcode Fuzzy Hash: 34672c906516f9e0d6f69e3ec444018a16397146933fedf22aa173713d306ee2
                                                                  • Instruction Fuzzy Hash: E2216871D002498BDF10DFA9D5487EEBBF5EF98328F10881AD515BB610CB74A949CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E79108, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04E79198
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: 41b40297be8a6773b7018d8b4e21cae8519cf5edee9606d55d320c19a416f7e7
                                                                  • Instruction ID: 8e786564443c432e1892b0d1a14ac9a0757d8677e76cef8a1a6a39fbe47e026b
                                                                  • Opcode Fuzzy Hash: 41b40297be8a6773b7018d8b4e21cae8519cf5edee9606d55d320c19a416f7e7
                                                                  • Instruction Fuzzy Hash: 712157B19003499FDF10CFAAC8847EEBBF5FF48364F018429E918A7240C778A954CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E78E78, Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 04E78EFE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: ContextThread
                                                                  • String ID:
                                                                  • API String ID: 1591575202-0
                                                                  • Opcode ID: ebcab6592e6b730ac1eb61171b7151453161f893c8574d10d3d8fe6496b474d7
                                                                  • Instruction ID: 7281d8d894c2e76735c1a7079dfa168fc5ae3f69f386aee535bd084503379925
                                                                  • Opcode Fuzzy Hash: ebcab6592e6b730ac1eb61171b7151453161f893c8574d10d3d8fe6496b474d7
                                                                  • Instruction Fuzzy Hash: 2C2154719002088FDB10DFAAC4857EEBBF4EF88328F10842AD419A7240DB78A945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E79223, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E792A8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: 1fad81427772513a794378c37ce170b626fa6d3f77161bf74b8a2064551c84bc
                                                                  • Instruction ID: 8b3c8ee4d1de8659b483cf84be68692dacbf5c68907e5945be02805a05f18817
                                                                  • Opcode Fuzzy Hash: 1fad81427772513a794378c37ce170b626fa6d3f77161bf74b8a2064551c84bc
                                                                  • Instruction Fuzzy Hash: 67214A718003499FDB10DFAAC881BEEBBF5FF48324F118429E918A7250C7799905CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E78E80, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 04E78EFE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: ContextThread
                                                                  • String ID:
                                                                  • API String ID: 1591575202-0
                                                                  • Opcode ID: f3faf53fe0cf6caa815af395864b5630b76e9281e982d17807506283beb5ce23
                                                                  • Instruction ID: 05aa4d87bc871bcbb6e26db2d52ef9d5c542c5e3a849e6b0d390573a51afb5a3
                                                                  • Opcode Fuzzy Hash: f3faf53fe0cf6caa815af395864b5630b76e9281e982d17807506283beb5ce23
                                                                  • Instruction Fuzzy Hash: 142165719002088FDB10DFAAC4847EEBBF4EF88328F10802AD419A7240CB78A945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E79228, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E792A8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: 33cbe70fb54fd86b0de894d5fe7d3f1838b64abb01891affdef9ad41f771f67d
                                                                  • Instruction ID: a2285ad275c43a1a6240cee496441c32e421d0adc83623832913d86b8405e916
                                                                  • Opcode Fuzzy Hash: 33cbe70fb54fd86b0de894d5fe7d3f1838b64abb01891affdef9ad41f771f67d
                                                                  • Instruction Fuzzy Hash: 1C2128B19002599FDB10DFAAD8807EEBBF5FF48324F118429E918A7250C779A945CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A11737, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 00A117BD
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.668944657.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: 8898fddfca1ad87d5597635af95ae1dfad2e2f815a48dd67aebce27ab13794b8
                                                                  • Instruction ID: 13987f4d6e217555e78ce29b73422b4395f159aa9b6f7819efd7ce420d04380b
                                                                  • Opcode Fuzzy Hash: 8898fddfca1ad87d5597635af95ae1dfad2e2f815a48dd67aebce27ab13794b8
                                                                  • Instruction Fuzzy Hash: 98218BB59083858FDB20CFA9D9447DEBFF4EB09324F10456AC455E7282C7B85585CFA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A11488, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 00A11512
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.668944657.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: 12868420c2c0f0250fc7148a73ecb1b0e87c1d92f8af36e842aedcddcfd0a4dd
                                                                  • Instruction ID: 549430afd9a36d665d006297e7563a742c0d1bc8e06c87ecf52ca4e8931f07ed
                                                                  • Opcode Fuzzy Hash: 12868420c2c0f0250fc7148a73ecb1b0e87c1d92f8af36e842aedcddcfd0a4dd
                                                                  • Instruction Fuzzy Hash: 412188B19053858FDB60CFA9C9487DEBFF4EB49318F10802AD416E3652C7799585CF61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A11498, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 00A11512
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.668944657.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: 41dd427486ec413681ad1105a8e0ff0cc8aef5a34cb4e100a05a17e6a4cbe98d
                                                                  • Instruction ID: f5bfe08077a13f4707611eee9f7ba00a92d9e60d5ac63ccc386c394ab6e1533c
                                                                  • Opcode Fuzzy Hash: 41dd427486ec413681ad1105a8e0ff0cc8aef5a34cb4e100a05a17e6a4cbe98d
                                                                  • Instruction Fuzzy Hash: 43119A70900345CFEB60CFA9C5087DEBFF9EB49358F108029C415A3601C779A581CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E79013, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E79086
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 24b5e1a544ce518fab4d8e21d815f027e0e020fa49bfe663939401d61b1f6940
                                                                  • Instruction ID: 84d53a35ccd284f5cfa7ac2f2d44d0db16bfe474932466eb713047bc6f1c7010
                                                                  • Opcode Fuzzy Hash: 24b5e1a544ce518fab4d8e21d815f027e0e020fa49bfe663939401d61b1f6940
                                                                  • Instruction Fuzzy Hash: 4B1159719042499FDF10CFA9C844BDEBBF5AF88324F148419D925A7250C779A944CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E79018, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04E79086
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: f7f345cf192f881280d7d77d0eeb704daaa12da6dd528213576779e7c3a25ad9
                                                                  • Instruction ID: ef685366214ff8166fba354535ccd4f0fff9a974d2683e9c730512e1523ff5d5
                                                                  • Opcode Fuzzy Hash: f7f345cf192f881280d7d77d0eeb704daaa12da6dd528213576779e7c3a25ad9
                                                                  • Instruction Fuzzy Hash: 7F1137719042489FDF10DFAAC844BEFBBF5EF88324F148419E529A7250C779A944CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E78DA0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: df5a42877e20dc450fdb32f43db82fca9f466f44acdd29d200b47c59a83bdb6a
                                                                  • Instruction ID: fe3eff4c2912af7fd0f14c02ca4c2ce3e695f0160ae09aa422f9ee1d5d455814
                                                                  • Opcode Fuzzy Hash: df5a42877e20dc450fdb32f43db82fca9f466f44acdd29d200b47c59a83bdb6a
                                                                  • Instruction Fuzzy Hash: 5B113A71D042488BDB10DFAAD8457EFFBF4EF88328F158419D515A7250CB79A944CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0065D1E9, Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.668715898.000000000065D000.00000040.00000001.sdmp, Offset: 0065D000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b1590500b1c86d0d97342d9f6a98da3b37f7825e94ce2730b24d6fdd60163143
                                                                  • Instruction ID: 71ce33fd8e4f039b4c64ce952ca80ef98aa77a3df40484ca2b61a77ab1309800
                                                                  • Opcode Fuzzy Hash: b1590500b1c86d0d97342d9f6a98da3b37f7825e94ce2730b24d6fdd60163143
                                                                  • Instruction Fuzzy Hash: AB014731008380AAE7304E16DC80BA2BB98EF85725F08840AEE145A386C379D948C6B1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0065D1E8, Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.668715898.000000000065D000.00000040.00000001.sdmp, Offset: 0065D000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5a3ab04ce8943d24cffe3e9cbb4d0b8a6a2437ba78d3433ea4780f452fb741c0
                                                                  • Instruction ID: 106a55185f2de1df470fd9ac35bb03901fd67c0be97ed9a7ff527f00bb542298
                                                                  • Opcode Fuzzy Hash: 5a3ab04ce8943d24cffe3e9cbb4d0b8a6a2437ba78d3433ea4780f452fb741c0
                                                                  • Instruction Fuzzy Hash: EFF0C8714042849EE7208E06DC84B62FFA8DF91734F18C45AED585B286C3799C44CAB1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 04E76E20, Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: e48de6a52d12f9dfb3be914f126c096c9ad006729121d96fbb6f6bc81481b2f4
                                                                  • Instruction ID: 1099bd03d276baf0468c4bf42a8e6bb9f1f35f25444798755bbe609bb2a18aff
                                                                  • Opcode Fuzzy Hash: e48de6a52d12f9dfb3be914f126c096c9ad006729121d96fbb6f6bc81481b2f4
                                                                  • Instruction Fuzzy Hash: EA12BD74E00218CFDB14CFA9D984AEDBBF6FF88314F1491A9E909AB255D734A981CF50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E735FC, Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: vi
                                                                  • API String ID: 0-3693419983
                                                                  • Opcode ID: d3eb09714372950d2d56688a56a0d17cfcdb49d46c859af5a225257a8542cc0b
                                                                  • Instruction ID: c0665484792916624a397edce9dbba0532ed50edf88876eeedb5953cf4edfa43
                                                                  • Opcode Fuzzy Hash: d3eb09714372950d2d56688a56a0d17cfcdb49d46c859af5a225257a8542cc0b
                                                                  • Instruction Fuzzy Hash: 1DB1ABB0E0162A8BDB65DF69C984BDDBBF5FF48314F1081E9E048A7605EB309A95DF40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E76E13, Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: f71816885f779663203aee3fa017726935d1b7220f2e380ea1116ad3ba22f01c
                                                                  • Instruction ID: c953558c42cc43b59ca723ea7c7ad1121b528c15c8ac3e997c72281d3070a76e
                                                                  • Opcode Fuzzy Hash: f71816885f779663203aee3fa017726935d1b7220f2e380ea1116ad3ba22f01c
                                                                  • Instruction Fuzzy Hash: 4151A1B1E046188FDB58CFAAC8447DEBBF2AF88314F14D0AAD508A7255EB305A85CF51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E7B220, Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B287
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B2CC
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 04E7B337
                                                                  • RtlDecodePointer.NTDLL(-000000FC), ref: 04E7B381
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 04E7B3C1
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B407
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B44B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Pointer$Decode$Encode
                                                                  • String ID:
                                                                  • API String ID: 1638560559-0
                                                                  • Opcode ID: 75712ab721c2ddf6ccc7db8813b6938297238f85a690f8b40f99fee21954bb72
                                                                  • Instruction ID: 1edd31b3df17fdf1e89d962f06bf7b32855289077c53bb787f90906c9259c739
                                                                  • Opcode Fuzzy Hash: 75712ab721c2ddf6ccc7db8813b6938297238f85a690f8b40f99fee21954bb72
                                                                  • Instruction Fuzzy Hash: 61811670C05248DFDB10CFA8D5887DDBBF1AB18328F24A41AE915B7391D7B56885CF61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E7B20B, Relevance: 10.7, APIs: 7, Instructions: 162COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B287
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B2CC
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 04E7B337
                                                                  • RtlDecodePointer.NTDLL(-000000FC), ref: 04E7B381
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 04E7B3C1
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B407
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B44B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Pointer$Decode$Encode
                                                                  • String ID:
                                                                  • API String ID: 1638560559-0
                                                                  • Opcode ID: 3b3edbc87648cabd6995c915925eb733486fbe0223f908ae62642a0467003596
                                                                  • Instruction ID: 5f3ad63531eddf82f0dececd5d2284dbf301bb98f79e075abd94386d454c3169
                                                                  • Opcode Fuzzy Hash: 3b3edbc87648cabd6995c915925eb733486fbe0223f908ae62642a0467003596
                                                                  • Instruction Fuzzy Hash: 22711770805288DFDB11CFA8D5887DDBFF1AB18318F28A04AE905B7291D7B56885CF61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E7B598, Relevance: 10.6, APIs: 7, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B5F4
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B633
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 04E7B69A
                                                                  • RtlDecodePointer.NTDLL(00000000), ref: 04E7B6D6
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 04E7B710
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B750
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B78E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Pointer$Decode$Encode
                                                                  • String ID:
                                                                  • API String ID: 1638560559-0
                                                                  • Opcode ID: 6646a4f5a36f2c303c77ae87cc559a3d5b63c5307a92e9de2da0272acc71e6c6
                                                                  • Instruction ID: 620de3518c164af2927ccd95ca05b3091abab33682eda04c5d711dc3c752be73
                                                                  • Opcode Fuzzy Hash: 6646a4f5a36f2c303c77ae87cc559a3d5b63c5307a92e9de2da0272acc71e6c6
                                                                  • Instruction Fuzzy Hash: 45612A70C04389CFEF218FA9C4483EEBBF0AF1936CF109919D155A6650C7B86585CFA6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04E7B587, Relevance: 10.6, APIs: 7, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B5F4
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B633
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 04E7B69A
                                                                  • RtlDecodePointer.NTDLL(00000000), ref: 04E7B6D6
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 04E7B710
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B750
                                                                  • RtlDecodePointer.NTDLL ref: 04E7B78E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.671643674.0000000004E70000.00000040.00000001.sdmp, Offset: 04E70000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Pointer$Decode$Encode
                                                                  • String ID:
                                                                  • API String ID: 1638560559-0
                                                                  • Opcode ID: 14f9709812bcc53bc7809f46ed8eada33b39fb08ab7a57495148bee176e34620
                                                                  • Instruction ID: 3ac665a1cbd437d342158e7d512a02d26ac878a7bb44a3c39d75b9e5963d5b25
                                                                  • Opcode Fuzzy Hash: 14f9709812bcc53bc7809f46ed8eada33b39fb08ab7a57495148bee176e34620
                                                                  • Instruction Fuzzy Hash: 9B6129B0804389CFEF118FA9C5883EEBFF0AF1935CF149919D055A6650C7B86585CF96
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Analysis Process: list of P.O.exe PID: 6224 Parent PID: 7156 list of P.O.exeCOMMON

                                                                  Executed Functions

                                                                  Function 011A6940, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 011A69A0
                                                                  • GetCurrentThread.KERNEL32 ref: 011A69DD
                                                                  • GetCurrentProcess.KERNEL32 ref: 011A6A1A
                                                                  • GetCurrentThreadId.KERNEL32 ref: 011A6A73
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927430014.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID: x
                                                                  • API String ID: 2063062207-2890206012
                                                                  • Opcode ID: 18161cbf5dd21c42c102970a9d90d524b860875b85ba7393272302da1a5fd769
                                                                  • Instruction ID: a53b1ef60faa4dea836b855a043af584e0be7b08f8ec06288dcce0a4461ad8fb
                                                                  • Opcode Fuzzy Hash: 18161cbf5dd21c42c102970a9d90d524b860875b85ba7393272302da1a5fd769
                                                                  • Instruction Fuzzy Hash: 9C5134B49002498FDB14CFAAD688BDEBFF1EF88314F248499E419B7360DB745884CB61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011E28C0, Relevance: 1.6, APIs: 1, Instructions: 117registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 011E29D4
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927519028.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID:
                                                                  • API String ID: 71445658-0
                                                                  • Opcode ID: 131956c81a3af2687e9d7f6d330e1af257091fe79b0a01719ba6fce07cd3f0f3
                                                                  • Instruction ID: 2865849f9e6cf7e7737d85bf88778248c054129b67a93b665688f1aa7b046d87
                                                                  • Opcode Fuzzy Hash: 131956c81a3af2687e9d7f6d330e1af257091fe79b0a01719ba6fce07cd3f0f3
                                                                  • Instruction Fuzzy Hash: F34179B0D053898FDB15CFA9C598B8EBFF5AF49304F19C1AAD408AB351D7788845CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011A5084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011A51A2
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927430014.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: 6af3bf7854ce7ccb8461f3f2b271c421a12088149d487baee058a96acf4ef41c
                                                                  • Instruction ID: 0d9104bbad61b6d339919a817cdbc51b5570488043782390e4540b293619677e
                                                                  • Opcode Fuzzy Hash: 6af3bf7854ce7ccb8461f3f2b271c421a12088149d487baee058a96acf4ef41c
                                                                  • Instruction Fuzzy Hash: F951C0B1D14209DFDB14CFAAD884ADEBFB2BF48314F64812AE815AB210D774A945CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011A5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011A51A2
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927430014.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: fda60e70fa8a52f71be1f8d81efa490b0457f7dd92a94a59a4b6cfbee57d2422
                                                                  • Instruction ID: b884a4d9b088338db87bb97ba8fddbf3f1bded5bdf8b88f426584256c75edd91
                                                                  • Opcode Fuzzy Hash: fda60e70fa8a52f71be1f8d81efa490b0457f7dd92a94a59a4b6cfbee57d2422
                                                                  • Instruction Fuzzy Hash: 0E41DFB1D14309DFDB14CF9AD880ADEBFB6BF48314F64812AE819AB210D774A845CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011A779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 011A7F09
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927430014.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: CallProcWindow
                                                                  • String ID:
                                                                  • API String ID: 2714655100-0
                                                                  • Opcode ID: 1291650e3349928a725884ab647f42db39e81bfaa8180eccf22bb0b2e11f0783
                                                                  • Instruction ID: 8b42933ab121093cd7f8cc7aadd0034a1be8262dbc275e697bc02332f2e40a1e
                                                                  • Opcode Fuzzy Hash: 1291650e3349928a725884ab647f42db39e81bfaa8180eccf22bb0b2e11f0783
                                                                  • Instruction Fuzzy Hash: 0D416BB9A00305CFCB18CF99C488BAABBF5FF88314F158459E519AB351C735A941CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011E1D90, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 011E2C91
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927519028.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: QueryValue
                                                                  • String ID:
                                                                  • API String ID: 3660427363-0
                                                                  • Opcode ID: fa58cd0856e6aee3346c9e5b1b422708acda93e2087d62fcff670a44b3779a47
                                                                  • Instruction ID: 46dff20b84b47b6c3f488f73b3b82ce35cb1bd6dbe079ddfdfb3deb07a5b9c38
                                                                  • Opcode Fuzzy Hash: fa58cd0856e6aee3346c9e5b1b422708acda93e2087d62fcff670a44b3779a47
                                                                  • Instruction Fuzzy Hash: 0731EEB1D006589FCB24CFDAD884A9EBBF9BB48350F15802AE819AB310D7749945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011E2BD0, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 011E2C91
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927519028.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: QueryValue
                                                                  • String ID:
                                                                  • API String ID: 3660427363-0
                                                                  • Opcode ID: 43b5ef938ab8502810398f5d7072f63390bff475cc089e080dbf2a7db69ff8c6
                                                                  • Instruction ID: 29386c1f009153f8dd74fa9a3447293a587bc40252969e57a7afcc094e77af7d
                                                                  • Opcode Fuzzy Hash: 43b5ef938ab8502810398f5d7072f63390bff475cc089e080dbf2a7db69ff8c6
                                                                  • Instruction Fuzzy Hash: 1C31EDB1D006589FDB24CFEAD884A9EBFF5BF48310F14802AE819AB210D7749945CFA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011E1D7B, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 011E29D4
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927519028.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID:
                                                                  • API String ID: 71445658-0
                                                                  • Opcode ID: 0add11ded2357531f0e80975a7bffafcd98c1d93e4383957cfc605a1370f19a9
                                                                  • Instruction ID: 301a82e61a5d61a5f339502e529229bb3f1799dc62c745e889c1c0c2193bca95
                                                                  • Opcode Fuzzy Hash: 0add11ded2357531f0e80975a7bffafcd98c1d93e4383957cfc605a1370f19a9
                                                                  • Instruction Fuzzy Hash: A94112B1C042498FDB14CF99C588A8EFFF8BF48304F28816AE408AB351D7759985CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011E1D84, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 011E29D4
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927519028.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID:
                                                                  • API String ID: 71445658-0
                                                                  • Opcode ID: ef587cff96ff0dfe1d6af31b5fe89cfde08c9c1426b8faf4984f7d9c7992207a
                                                                  • Instruction ID: 2ae88d38592b0a8805ff8151ae50ad2ebb530d2b148eb93fbb4f070adc2e3a12
                                                                  • Opcode Fuzzy Hash: ef587cff96ff0dfe1d6af31b5fe89cfde08c9c1426b8faf4984f7d9c7992207a
                                                                  • Instruction Fuzzy Hash: 7E3112B1D002499FDB14CF99C588A8EFFF5BF48314F28816AE409AB310D7759885CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011AC109, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 011AC192
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927430014.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: 0f6c6c133ef6d16e7f7f1664d44b7bacc7852644edd9493ed375a7fdcbe10e54
                                                                  • Instruction ID: 04f473b88b29e0da3c7d759d49843784705f579c778b39ea5dde12b882e97501
                                                                  • Opcode Fuzzy Hash: 0f6c6c133ef6d16e7f7f1664d44b7bacc7852644edd9493ed375a7fdcbe10e54
                                                                  • Instruction Fuzzy Hash: 7D310279905384CFDB11DFA9E4483AEBFF4FB45708F14845AD484A7242C779644ACFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011A6B62, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011A6BEF
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927430014.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 78f3aaf33bf5506399c348977e212b8440e116ecb9b98d4af9a69f2df405c055
                                                                  • Instruction ID: 3f6d8b7f3e25ca23be19137ced5b1aba842e84d63126bd795918ec0c54a7d9c9
                                                                  • Opcode Fuzzy Hash: 78f3aaf33bf5506399c348977e212b8440e116ecb9b98d4af9a69f2df405c055
                                                                  • Instruction Fuzzy Hash: 5B21D2B5D002489FDB10CFAAD585AEEBFF4EB48320F14841AE954A7310D378A945CF61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011A6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011A6BEF
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927430014.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: d5e1b515689b40b9ac137584dba70c5539b13c98f74e5e11d240b13415be8a37
                                                                  • Instruction ID: 454b0f68540b527958e40929e195a679d4ead6e79dcab76454688987a4bae525
                                                                  • Opcode Fuzzy Hash: d5e1b515689b40b9ac137584dba70c5539b13c98f74e5e11d240b13415be8a37
                                                                  • Instruction Fuzzy Hash: 7D21C4B5D002499FDB10CF9AD984ADEBFF4EB48324F14841AE914A7310D774A944CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01255788, Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,01255769,00000800), ref: 012557FA
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927652414.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: df693c54d9b809cad9d9a13e9a7cadfc897e066faaf21bbfd0281431dd09e3e6
                                                                  • Instruction ID: c1e7da915615d2fc6db750995d04171c0af83e9cc9c4961e3ca5c5f33b02a988
                                                                  • Opcode Fuzzy Hash: df693c54d9b809cad9d9a13e9a7cadfc897e066faaf21bbfd0281431dd09e3e6
                                                                  • Instruction Fuzzy Hash: FF1133B6C00209CFDB14CFAAD484BEEBBF4EB98320F14842AD815A7600C375A545CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01254784, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,01255769,00000800), ref: 012557FA
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927652414.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: c1c5eb2a5b6d85a382f40a159ee3600bab9839a32bcad1adfe829ec2874d4b99
                                                                  • Instruction ID: 3a8d4e5517632457dfcbc2e2ddc3d578916af1c8916a643b66f2fee9873ada6a
                                                                  • Opcode Fuzzy Hash: c1c5eb2a5b6d85a382f40a159ee3600bab9839a32bcad1adfe829ec2874d4b99
                                                                  • Instruction Fuzzy Hash: D21133B6810209CFDB14CF9AD484BEEBBF4EB48320F04842AE919A7600C374A545CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011AC118, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 011AC192
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927430014.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: 835ba32b8e61d1300ac875b239502ae1ead1b018e611d6c0a656b4847166dd41
                                                                  • Instruction ID: 64f9be318a792d0f186c88f94b318411a64eac82b7cd54dfb86c08fad306e5e2
                                                                  • Opcode Fuzzy Hash: 835ba32b8e61d1300ac875b239502ae1ead1b018e611d6c0a656b4847166dd41
                                                                  • Instruction Fuzzy Hash: FC1159B5A01209CFDB20DFAAD5487AEBFF4FB48754F14882AD405B3601CB39A5458FA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011A40AA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 011A4116
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927430014.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: eccd17aed413c7dcaafbe5abe0012870615ced09366db17f53257c5edb5fb96a
                                                                  • Instruction ID: 4c92a4f1ac14d2300ba17b70ce15c7543da36ac97717071fa5dc389e1b0538f8
                                                                  • Opcode Fuzzy Hash: eccd17aed413c7dcaafbe5abe0012870615ced09366db17f53257c5edb5fb96a
                                                                  • Instruction Fuzzy Hash: 331102B6D002498FDB24CF9AD444BDEFBF4EB89324F14842AD529B7600C378A546CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 011A3300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 011A4116
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927430014.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 15d879194bf1655269ec5eec4313af52194af9d1c8a7d55d11c0113aa0eb074b
                                                                  • Instruction ID: 6528415783ed9170df4fea9a581e5604a4267fd0479317938545becf27ae6ad6
                                                                  • Opcode Fuzzy Hash: 15d879194bf1655269ec5eec4313af52194af9d1c8a7d55d11c0113aa0eb074b
                                                                  • Instruction Fuzzy Hash: 4811F0B6D042498BDB24CF9AD444BDEFBF4EB88224F15842AD919B7600D3B8A545CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01258190, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleInitialize.OLE32(00000000), ref: 01259125
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927652414.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Initialize
                                                                  • String ID:
                                                                  • API String ID: 2538663250-0
                                                                  • Opcode ID: f8d581b14ddf0d2dcce748e6e6332ddb8e82acadba519fd351c7bbc561a6dddc
                                                                  • Instruction ID: 9c7f23af9e0cef4f4e7821f843f7e862b5beeab9b48a13fe2797319345b8e959
                                                                  • Opcode Fuzzy Hash: f8d581b14ddf0d2dcce748e6e6332ddb8e82acadba519fd351c7bbc561a6dddc
                                                                  • Instruction Fuzzy Hash: ED1133B1800359CFCF20CF9AD488BDEBBF4EB48224F148419D918A7600C374A984CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 012590C8, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleInitialize.OLE32(00000000), ref: 01259125
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927652414.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Initialize
                                                                  • String ID:
                                                                  • API String ID: 2538663250-0
                                                                  • Opcode ID: 390b318afe828a3bbd95b3718cc8416e517cc5aa1ad587020a2f100575c6631b
                                                                  • Instruction ID: 3f856171476676f23a37355f2935e3f40e78433e61546f402745693730aee703
                                                                  • Opcode Fuzzy Hash: 390b318afe828a3bbd95b3718cc8416e517cc5aa1ad587020a2f100575c6631b
                                                                  • Instruction Fuzzy Hash: 5D1115B1900249CFDF20CF9AD488BDEBBF8EB48324F148419D519A7700D374A944CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00FAD450, Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927165625.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b2cfc45be50eb8c71e1556489c112205416f0e3bda9e99eb658f2fda7f8110bb
                                                                  • Instruction ID: b00374b44c72976023b783bae64842f645903c6d88852477d865fe296110a1ba
                                                                  • Opcode Fuzzy Hash: b2cfc45be50eb8c71e1556489c112205416f0e3bda9e99eb658f2fda7f8110bb
                                                                  • Instruction Fuzzy Hash: 212128B2904240EFDB05DF10D8C0B67BF65FB99324F248569DC064B646C336E846E7A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00FAD53C, Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927165625.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e7dced42e4d13fae84acbe0094c2d049172df9f100aacc6f30570dd9ed0f95e7
                                                                  • Instruction ID: 6afbb8d7f51686053722cac6d33913aa9e9a12725337d1bf26e5cbe791360e76
                                                                  • Opcode Fuzzy Hash: e7dced42e4d13fae84acbe0094c2d049172df9f100aacc6f30570dd9ed0f95e7
                                                                  • Instruction Fuzzy Hash: 7F216AF2904240EFCF05DF00D9C0B26BF65FB99328F288569E8064B646C336D806E7A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00FBD01C, Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927219444.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f984e2a5c4fc41c348aeccb58b6abd56ec84b4da397373b685adb903a8cb7fb7
                                                                  • Instruction ID: 502e8315dc85b070e9d79c558336f684cce35b1b7e6a89ec226c8e7051fdc1de
                                                                  • Opcode Fuzzy Hash: f984e2a5c4fc41c348aeccb58b6abd56ec84b4da397373b685adb903a8cb7fb7
                                                                  • Instruction Fuzzy Hash: C8210775A08240DFCB14EF14D8C4B66BB65FB88364F24C569D80A4B34AD73AD847EE62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00FBD005, Relevance: .1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927219444.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f7a36912675002d3599cf2897fb823246b16bcc0c66edc52af29ae6b0237b830
                                                                  • Instruction ID: 52d67014da6e2a3c35d20f4be3293a522bb1274bf2ce57a75e3b3503f77ddfbb
                                                                  • Opcode Fuzzy Hash: f7a36912675002d3599cf2897fb823246b16bcc0c66edc52af29ae6b0237b830
                                                                  • Instruction Fuzzy Hash: 662180755093C08FCB02CF20D994755BF71EB46324F28C5EAD8498B697C33A980ADB62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00FAD44B, Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927165625.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                                  • Instruction ID: 54412eb595565ccbb83cdc907c5fc30fb59f8f5c09b44161c849effc4e892fac
                                                                  • Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                                  • Instruction Fuzzy Hash: 3811D6B6804280CFDF11CF10D9C4B16BF71FB95324F28C5A9D8054B616C336D85ADBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00FAD537, Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.927165625.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                                  • Instruction ID: 9b13599659c6fb8ce223b1bd5ca12b21880d28e63609ad7849b808f51745f0d3
                                                                  • Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                                  • Instruction Fuzzy Hash: 4E11E9B6804280CFCF05CF10D5C4B56BF71FB95324F28C5A9D8054B616C336D856DBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Analysis Process: newapp.exe PID: 6516 Parent PID: 3424 newapp.exeCOMMON

                                                                  Executed Functions

                                                                  Function 02947804, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 029478C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.752143231.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: e097da7ca86acfa8b171a51f1bf1ab6b6b3606e754c0236d3a88deaa6fc3b98f
                                                                  • Instruction ID: d72158f8dd5195c52521abc06127b3bde6526b9fbf1b2b6bdc0ed4d13f0c3232
                                                                  • Opcode Fuzzy Hash: e097da7ca86acfa8b171a51f1bf1ab6b6b3606e754c0236d3a88deaa6fc3b98f
                                                                  • Instruction Fuzzy Hash: 9641D271C00218CBDB24DFA9C984BDDBBB5BF48308F24846AD419AB250DB75594ACF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0294612C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 029478C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.752143231.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: 304407e34fb42e05196512d5011b96e8ee630928c5105f27effd1c9a42cb596b
                                                                  • Instruction ID: 2bcb0f2d78bf48844eedca26bd64061ac7ef96b3bdf8b4170ec1889931e01beb
                                                                  • Opcode Fuzzy Hash: 304407e34fb42e05196512d5011b96e8ee630928c5105f27effd1c9a42cb596b
                                                                  • Instruction Fuzzy Hash: 1741E371C0021CCBDB24DFA9C884BDEBBB5BF48308F20846AD409AB250DB755945CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02941737, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 029417BD
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.752143231.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: 3fb4fcbe140d50e5acd9c607cbecfbdf62d4bbf7665c6667cf7ad5840ace2fe2
                                                                  • Instruction ID: 6542285fc5ff6eaf536dcd5cbcc9ba74afb31b96a6471ec93c25ee1a5809a757
                                                                  • Opcode Fuzzy Hash: 3fb4fcbe140d50e5acd9c607cbecfbdf62d4bbf7665c6667cf7ad5840ace2fe2
                                                                  • Instruction Fuzzy Hash: 5221AFB1D043448FDB60CFA9D944BEEBBF4EB08354F10446AC419E7691DB785585CFA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02941488, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 02941512
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.752143231.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: ee99326ef917a29583a03dba9494ee74903ce2338f468000a4a80eeb76e73f25
                                                                  • Instruction ID: 9664867b3f5ac686ba7267618bb38dd2d649b27b548bc11ef19e8d21a087bb37
                                                                  • Opcode Fuzzy Hash: ee99326ef917a29583a03dba9494ee74903ce2338f468000a4a80eeb76e73f25
                                                                  • Instruction Fuzzy Hash: B421C0B19043458FDF60CFA8C9487DEBFF4EB09318F10806AD41AA7612C7789985CF62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02941498, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 02941512
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.752143231.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: 386d943e2f1b56a41a370c35e5de235bd5daaa4d93949292080297a384c45e1d
                                                                  • Instruction ID: 795f412580fbd981a3fb5fb1befafb9dfe475940c43e6fd05d7b40e7a51027e4
                                                                  • Opcode Fuzzy Hash: 386d943e2f1b56a41a370c35e5de235bd5daaa4d93949292080297a384c45e1d
                                                                  • Instruction Fuzzy Hash: 95118EB19043458FDF60CFA9C5487DEBFF8EB49318F108429D419A3A11CB39A985CFA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02941748, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 029417BD
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.752143231.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: e82fa022859584cd4a957e10f676e43f33c85122856b8d51c1afb84d3ec08f2c
                                                                  • Instruction ID: dcc337736a342fd768675726b5bdea6a93d5da8712a5756d2b3a7e3b18973b97
                                                                  • Opcode Fuzzy Hash: e82fa022859584cd4a957e10f676e43f33c85122856b8d51c1afb84d3ec08f2c
                                                                  • Instruction Fuzzy Hash: A41160B19043498FDB60DFA9D944BEEBBF8EB08354F104429D409E7741DB79A584CFA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Analysis Process: newapp.exe PID: 6816 Parent PID: 6516 newapp.exeCOMMON

                                                                  Executed Functions

                                                                  Function 0265691F, Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 026569A0
                                                                  • GetCurrentThread.KERNEL32 ref: 026569DD
                                                                  • GetCurrentProcess.KERNEL32 ref: 02656A1A
                                                                  • GetCurrentThreadId.KERNEL32 ref: 02656A73
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.927457599.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: 4f3efdf1fcf73fc13e149447479be29ca4356eeefcc20b7c07e27c023dd70d7e
                                                                  • Instruction ID: 45dbfe3da61d3feee3f7628ee194a4f3c0a4446bae43f84d3490886205f3b55b
                                                                  • Opcode Fuzzy Hash: 4f3efdf1fcf73fc13e149447479be29ca4356eeefcc20b7c07e27c023dd70d7e
                                                                  • Instruction Fuzzy Hash: 9B5179B09043858FDB00CFA9C548BEEBBF0EF48304F14805EE449A7360D7385844CB61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02656940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 026569A0
                                                                  • GetCurrentThread.KERNEL32 ref: 026569DD
                                                                  • GetCurrentProcess.KERNEL32 ref: 02656A1A
                                                                  • GetCurrentThreadId.KERNEL32 ref: 02656A73
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.927457599.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: e02af41a2984985a2617bc94d4b3bd6de6f8e3c518c594ce4ceeefb278e0dff2
                                                                  • Instruction ID: 7b6a064a7f63dd24e072b230676ce117a7b650f7f8cc363d2ae54c0971ea8bed
                                                                  • Opcode Fuzzy Hash: e02af41a2984985a2617bc94d4b3bd6de6f8e3c518c594ce4ceeefb278e0dff2
                                                                  • Instruction Fuzzy Hash: 305158B09042598FDB14CFAAD648BEEBBF5EF88314F24805DE419A7350D7386884CF65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0265500F, Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.927457599.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 97864197264e9b3bf23cd65d4950651cc0d09dd6fc99dea79d24869eb6a4d174
                                                                  • Instruction ID: f919b1af6c665c1077192f0209579e1a93c8e8e4b66d187ff6b286b1944990e2
                                                                  • Opcode Fuzzy Hash: 97864197264e9b3bf23cd65d4950651cc0d09dd6fc99dea79d24869eb6a4d174
                                                                  • Instruction Fuzzy Hash: 6A6122B1C05249AFDF11CFA9C884ACDBFB1FF49314F15816AE909AB221D7359946CF80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02655084, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 026551A2
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.927457599.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: c973d67476f7472e81ac610b4379af7384990ea08fdbc28299a836d98abe03f2
                                                                  • Instruction ID: 696ecd8d8419f306195d8298fa36d7bbe33e3d382b7781ffc91f37dd56b4af4a
                                                                  • Opcode Fuzzy Hash: c973d67476f7472e81ac610b4379af7384990ea08fdbc28299a836d98abe03f2
                                                                  • Instruction Fuzzy Hash: 5E51DEB1D10319DFDB14CFA9C984ADEBFB1BF48314F64812AE819AB210D7749985CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02655090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 026551A2
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.927457599.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: afe9115fd255aa77ae7a8be8c0b658299b4b28b235655996d264bf78cbfa37f1
                                                                  • Instruction ID: 9bac218371c2597855f108ba9a636abd17ee873140bf02b45504c4b8c416aa08
                                                                  • Opcode Fuzzy Hash: afe9115fd255aa77ae7a8be8c0b658299b4b28b235655996d264bf78cbfa37f1
                                                                  • Instruction Fuzzy Hash: 7241B0B1D103199FDF14CF9AC984ADEBFB5BF48314F64812AE819AB210D7749945CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0265779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 02657F09
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.927457599.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                  Similarity
                                                                  • API ID: CallProcWindow
                                                                  • String ID:
                                                                  • API String ID: 2714655100-0
                                                                  • Opcode ID: 4e62a00da3078def5568a48ecd6cc41159f42101feca30143976818921d2417f
                                                                  • Instruction ID: 7b82fda9a01e0050c3cb8ff7e5365adef8d75d400916c3f915da99956b7609e9
                                                                  • Opcode Fuzzy Hash: 4e62a00da3078def5568a48ecd6cc41159f42101feca30143976818921d2417f
                                                                  • Instruction Fuzzy Hash: B54126B5A00315DFDB15CF99C488AAAFBF5FF88314F248459E819AB320D734A841CFA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0265C1E0, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.927457599.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ef1f9e0f013c631f28e31165971264b40ddc63940c2dbdfe08b97d698f3c3850
                                                                  • Instruction ID: 97d2031a2773961c3444b4d345978cd807f7dd53ccfac62ee5daa6aef898bff4
                                                                  • Opcode Fuzzy Hash: ef1f9e0f013c631f28e31165971264b40ddc63940c2dbdfe08b97d698f3c3850
                                                                  • Instruction Fuzzy Hash: 002130B1904381CFDB21CF69E8103AA7FF1EB52309F14806BE449A7352C7388806CF65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02656B61, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02656BEF
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.927457599.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: f24c38be2427ffd6f140f927fba13eaae0320c4beff738fc7e8d05fbd5e72cfb
                                                                  • Instruction ID: feef4f8af9281ae3acbb9230947c0ceb73d6a0d96342151440674c7675e4ae16
                                                                  • Opcode Fuzzy Hash: f24c38be2427ffd6f140f927fba13eaae0320c4beff738fc7e8d05fbd5e72cfb
                                                                  • Instruction Fuzzy Hash: EC21E2B5900208DFDB00CFA9D584ADEBBF5FB48324F14842AE918A3750D778A955CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02656B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02656BEF
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.927457599.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 3003a34b1806ec4cc4f1a7c7e4f0d464bb68130c66dfc4ca0ebdc74f12c30ca6
                                                                  • Instruction ID: 0077e7df33c6e7173adddef15d9a5c76c58938af5dbb13487db9556171e0d992
                                                                  • Opcode Fuzzy Hash: 3003a34b1806ec4cc4f1a7c7e4f0d464bb68130c66dfc4ca0ebdc74f12c30ca6
                                                                  • Instruction Fuzzy Hash: 1421D5B5900258EFDB10CF9AD984ADEFBF8FB48324F14841AE914A7350D774A954CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0265C118, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 0265C192
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.927457599.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: 9164d639bdf8c7551a3aaac02f9ca8d63468c91a5de34548a22c4c86b3eb2386
                                                                  • Instruction ID: 6799f73fe6fba785aee0906b4ffac006d27624d8a67d7ff8e39e9b0ef555728e
                                                                  • Opcode Fuzzy Hash: 9164d639bdf8c7551a3aaac02f9ca8d63468c91a5de34548a22c4c86b3eb2386
                                                                  • Instruction Fuzzy Hash: 3A1147B1910319CFDB20DFA9D9087AEBBF4EB58714F14842AD805A3741C739A545CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0265C117, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 0265C192
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.927457599.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: ef579760c57f225cd7b12a8f4fdd579f9575e48107705925069ed5d7bdf880fe
                                                                  • Instruction ID: 1b6b51715d26bba83e1d1ad807d46419df8a42f3c10f21746032493ab03c6507
                                                                  • Opcode Fuzzy Hash: ef579760c57f225cd7b12a8f4fdd579f9575e48107705925069ed5d7bdf880fe
                                                                  • Instruction Fuzzy Hash: 181144B1910319CFDB20DFA9D5083AEBBF4EB58714F14842AD805A3741C738A545CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2D450, Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.926787341.0000000000B2D000.00000040.00000001.sdmp, Offset: 00B2D000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 820aedfe1e9d2f84190749cf81c3c065c5fb6fe0da29e1c13475f1e5423703dc
                                                                  • Instruction ID: eca666c59b4db550a7b8ddae021e59e0640129442552f33557c4607f65ba44a8
                                                                  • Opcode Fuzzy Hash: 820aedfe1e9d2f84190749cf81c3c065c5fb6fe0da29e1c13475f1e5423703dc
                                                                  • Instruction Fuzzy Hash: EA212871504240EFDB05DF10E8C0B27BBA5FB98324F24C5A9D8094B346C376E846C7A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2D53C, Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.926787341.0000000000B2D000.00000040.00000001.sdmp, Offset: 00B2D000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b115c939db4f32dd32b3fbfef2854b676e55d4c1b20c4830b2b23b3b13922d43
                                                                  • Instruction ID: 19f58ffaefb15ed7de17040df6b088ddcf71e1434db748f5ac8ad380d5b90737
                                                                  • Opcode Fuzzy Hash: b115c939db4f32dd32b3fbfef2854b676e55d4c1b20c4830b2b23b3b13922d43
                                                                  • Instruction Fuzzy Hash: 8D210AB1504244EFDF05DF14E9C0B26BFA5FBA8328F2485A9E80D4B246C376D856DBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3D01C, Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.926830687.0000000000B3D000.00000040.00000001.sdmp, Offset: 00B3D000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0726fe3565f656220a9aa9e06fd8e457573ed0b9e976ff0722f26e1719f645b8
                                                                  • Instruction ID: cc17e69dc29307aca90b2089879996bb98745ce94bee36ff779575a9923b6964
                                                                  • Opcode Fuzzy Hash: 0726fe3565f656220a9aa9e06fd8e457573ed0b9e976ff0722f26e1719f645b8
                                                                  • Instruction Fuzzy Hash: 0021F5B1604240EFCB18CF14E8D4B26BBA5FB88B14F34C5A9D8494B246C736D847CA61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B3D006, Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.926830687.0000000000B3D000.00000040.00000001.sdmp, Offset: 00B3D000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4381eead33fe1214d245e6a4f40a04afe2373007118ee7bc6b29cdd0031d2374
                                                                  • Instruction ID: dfef129161fb85d8ac6d71f76f852437bc51662f09fc3f67cf94253d38455d98
                                                                  • Opcode Fuzzy Hash: 4381eead33fe1214d245e6a4f40a04afe2373007118ee7bc6b29cdd0031d2374
                                                                  • Instruction Fuzzy Hash: B42162755083809FCB06CF24D994B11BFB1EB56714F28C5DAD8458F257C33AD85ACB62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2D537, Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.926787341.0000000000B2D000.00000040.00000001.sdmp, Offset: 00B2D000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                                  • Instruction ID: 4a0cde4436819a103d8ec1b6855a385fdf82e56ff7d9ace50a5e4e492c060d34
                                                                  • Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                                  • Instruction Fuzzy Hash: D3119376504280DFCF16CF10D5C4B56BFB2FB94324F24C6A9D8494B656C33AD856CBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B2D44B, Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.926787341.0000000000B2D000.00000040.00000001.sdmp, Offset: 00B2D000, based on PE: false
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                                  • Instruction ID: 18cb7e31f33204fe79b2f3dc62390233f44b3d0a41bbc8dbe79e5495065476d2
                                                                  • Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                                                  • Instruction Fuzzy Hash: 1D11D376404280CFCF11CF10E5C4B16BFB1FB98324F24C6A9D8094B616C37AD85ACBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Analysis Process: newapp.exe PID: 4972 Parent PID: 3424 newapp.exeCOMMON

                                                                  Executed Functions

                                                                  Function 01451737, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 014517BD
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.754828740.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: 83fa21d398dede09cf1cf5bf4a2e7e6e0477d5781f35bdd1ae41a7ba65f20df0
                                                                  • Instruction ID: 25cd4d92d0162bf8927d1733548b60f1ebcbef39e25b3a553f387805b5debc7a
                                                                  • Opcode Fuzzy Hash: 83fa21d398dede09cf1cf5bf4a2e7e6e0477d5781f35bdd1ae41a7ba65f20df0
                                                                  • Instruction Fuzzy Hash: C621ACB2D043898FDBA1CFA9D5487AEBBF4EB18318F24446EC805A7662C3385545CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01451488, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 01451512
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.754828740.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: 1f67c1a8bd23eb969bc5418a35bfad97b86781caf42165098cb6e2983a57a533
                                                                  • Instruction ID: 325d68e207a87b7d3127043b8228ecce9ace78646c16bec07fbc30126e1776b1
                                                                  • Opcode Fuzzy Hash: 1f67c1a8bd23eb969bc5418a35bfad97b86781caf42165098cb6e2983a57a533
                                                                  • Instruction Fuzzy Hash: 3221AE759043498FDFA0CFA9C54839EBFF4EB49318F10802AC815A7622C3389541CF61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01451498, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 01451512
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.754828740.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: ff878be22fd09b760e629ff71157f7b3f3f8a260a473a4c367d191296e2ea63b
                                                                  • Instruction ID: d42ecd7b7e152d29c31f7c885843734081bafc01e42e4b01ab56996acafc8581
                                                                  • Opcode Fuzzy Hash: ff878be22fd09b760e629ff71157f7b3f3f8a260a473a4c367d191296e2ea63b
                                                                  • Instruction Fuzzy Hash: B911B1749003098FDF60CFA9C64879EBFF4EB49318F10802AC815A3712C739A541CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01451748, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 014517BD
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.754828740.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: 3f425b6ed5dd400307927251aaf819dfde69dc36485995055ecac6c04f878726
                                                                  • Instruction ID: e354762fa69a55a3fc4cee8fefa96a71fb56e078814349641bfa2a13aa8c5a44
                                                                  • Opcode Fuzzy Hash: 3f425b6ed5dd400307927251aaf819dfde69dc36485995055ecac6c04f878726
                                                                  • Instruction Fuzzy Hash: 8F118EB58043498FDB60DFAAD54479EBBF8EB08718F10442AC805A7752C779A544CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions