Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.BehavesLike.Win32.Generic.cc.14146

Overview

General Information

Sample Name:SecuriteInfo.com.BehavesLike.Win32.Generic.cc.14146 (renamed file extension from 14146 to exe)
Analysis ID:339176
MD5:b232b5c7754d932b07c0d47f934efbfe
SHA1:7c3d92552f6ebab8956727beecaac5d22c87a55b
SHA256:3311cea59262b019a69fb72b72a36fc8e55d48a0f14f853b3a52fc8740542e99
Tags:AgentTesla

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0AGywGPT", "URL: ": "https://wV71njTiOcKvohmw.org", "To: ": "0012@dividekings.com", "ByHost: ": "smtp.privateemail.com:587", "Password: ": "qOQRsCQgut", "From: ": "0012@dividekings.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.998174021.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 7164JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.3152.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "=0AGywGPT", "URL: ": "https://wV71njTiOcKvohmw.org", "To: ": "0012@dividekings.com", "ByHost: ": "smtp.privateemail.com:587", "Password: ": "qOQRsCQgut", "From: ": "0012@dividekings.com"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeReversingLabs: Detection: 19%
              Machine Learning detection for sampleShow sources
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeJoe Sandbox ML: detected
              Source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_05C1B540
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_05C1B550
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 4x nop then jmp 05C1A974h0_2_05C1A8F4

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://wV71njTiOcKvohmw.org
              Source: global trafficTCP traffic: 192.168.2.4:49778 -> 199.193.7.228:587
              Source: Joe Sandbox ViewIP Address: 199.193.7.228 199.193.7.228
              Source: global trafficTCP traffic: 192.168.2.4:49778 -> 199.193.7.228:587
              Source: unknownDNS traffic detected: queries for: smtp.privateemail.com
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://MLrjrg.com
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1002690754.0000000006D80000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000003.887543787.00000000014E5000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000561645.00000000033EE000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1002690754.0000000006D80000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000561645.00000000033EE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998907100.0000000001433000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.use3
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000561645.00000000033EE000.00000004.00000001.sdmpString found in binary or memory: http://smtp.privateemail.com
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000561645.00000000033EE000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000661830.000000000341B000.00000004.00000001.sdmp, SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000649442.0000000003414000.00000004.00000001.sdmp, SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000003.868064909.0000000001264000.00000004.00000001.sdmp, SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000469332.00000000033A0000.00000004.00000001.sdmp, SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://wV71njTiOcKvohmw.org
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmp, SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998174021.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeJump to behavior
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.665794787.0000000000CFB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b49EBC49Du002dB1B3u002d4ED6u002dA41Au002d329378617F94u007d/u0031A3AC0E6u002d0D4Cu002d475Fu002dB7A0u002dA416DBBA91DC.csLarge array initialization: .cctor: array initializer size 11960
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_0111C62C0_2_0111C62C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_0111E8900_2_0111E890
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_0111E89F0_2_0111E89F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_0111E8A00_2_0111E8A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_05C1BE3C0_2_05C1BE3C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_05C16DC80_2_05C16DC8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_05C16DB80_2_05C16DB8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_05C10B590_2_05C10B59
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 0_2_05C10B680_2_05C10B68
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E1BCC3_3_014E1BCC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E1BCC3_3_014E1BCC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E2CC13_3_014E2CC1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E2CC13_3_014E2CC1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E1BCC3_3_014E1BCC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E1BCC3_3_014E1BCC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E2CC13_3_014E2CC1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014E2CC13_3_014E2CC1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_012469283_2_01246928
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_012400403_2_01240040
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_0124BCF03_2_0124BCF0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_01248E383_2_01248E38
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_012460143_2_01246014
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_012454903_2_01245490
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_012448D83_2_012448D8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_012422203_2_01242220
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_016A48003_2_016A4800
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_016A47103_2_016A4710
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_016AD8B03_2_016AD8B0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_065207713_2_06520771
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_06524B903_2_06524B90
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_065230183_2_06523018
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_0652A4083_2_0652A408
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_0652C0083_2_0652C008
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_0652DC383_2_0652DC38
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_065290F03_2_065290F0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_065253303_2_06525330
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_065253D03_2_065253D0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_065290903_2_06529090
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000000.648544028.0000000000612000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDESCUNION.exe@ vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.665794787.0000000000CFB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUwmOHHBDnoPggABxzNSakYVEIeLLIDPrAYZ.exe4 vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000002.00000002.662707396.0000000000042000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDESCUNION.exe@ vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998225577.0000000000C72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDESCUNION.exe@ vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998174021.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameUwmOHHBDnoPggABxzNSakYVEIeLLIDPrAYZ.exe4 vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999048731.0000000001580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998362641.00000000010F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998855821.000000000140A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeBinary or memory string: OriginalFilenameDESCUNION.exe@ vs SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/2@2/1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.logJump to behavior
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeReversingLabs: Detection: 19%
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe 'C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.610000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.610000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.0.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.40000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.40000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 3.0.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.c70000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.c70000.1.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014DE07C push edx; iretd 3_3_014DE089
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014DE07C push edx; iretd 3_3_014DE089
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014DE07C push edx; iretd 3_3_014DE089
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_3_014DE07C push edx; iretd 3_3_014DE089
              Source: initial sampleStatic PE information: section name: .text entropy: 7.3067407255
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 7164, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWindow / User API: threadDelayed 8319Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWindow / User API: threadDelayed 1531Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe TID: 3788Thread sleep time: -54102s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe TID: 6336Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe TID: 6400Thread sleep time: -17524406870024063s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe TID: 5644Thread sleep count: 8319 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe TID: 5644Thread sleep count: 1531 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998907100.0000000001433000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCode function: 3_2_0652C008 LdrInitializeThunk,3_2_0652C008
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeJump to behavior
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999438220.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999438220.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999438220.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999438220.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.998174021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 7164, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 3152, type: MEMORY
              Source: Yara matchFile source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 3152, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.998174021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 7164, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 3152, type: MEMORY
              Source: Yara matchFile source: 3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13Input Capture111Security Software Discovery211Remote Desktop ProtocolInput Capture111Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Credentials in Registry1Virtualization/Sandbox Evasion13SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe20%ReversingLabsWin32.Trojan.Generic
              SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              3.2.SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              https://wV71njTiOcKvohmw.org0%Avira URL Cloudsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              http://MLrjrg.com0%Avira URL Cloudsafe
              http://ocsp.use30%Avira URL Cloudsafe
              https://api.ipify.org%0%Avira URL Cloudsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              smtp.privateemail.com
              		199.193.7.228
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://wV71njTiOcKvohmw.orgtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000561645.00000000033EE000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://127.0.0.1:HTTP/1.1SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://DynDns.comDynDNSSecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://sectigo.com/CPS0SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000561645.00000000033EE000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://ocsp.sectigo.com0SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000561645.00000000033EE000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haSecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://api.ipify.org%GETMozilla/5.0SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		low
                http://MLrjrg.comSecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://ocsp.use3SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998907100.0000000001433000.00000004.00000020.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://api.ipify.org%SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmp, SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.998174021.0000000000402000.00000040.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://smtp.privateemail.comSecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe, 00000003.00000002.1000561645.00000000033EE000.00000004.00000001.sdmpfalse
                  		high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  199.193.7.228
                  		unknownUnited States
                  		22612NAMECHEAP-NETUSfalse

                  General Information

                  Joe Sandbox Version:31.0.0 Red Diamond
                  Analysis ID:339176
                  Start date:13.01.2021
                  Start time:16:43:34
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 9m 19s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:SecuriteInfo.com.BehavesLike.Win32.Generic.cc.14146 (renamed file extension from 14146 to exe)
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:19
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@5/2@2/1
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 3.8% (good quality ratio 3.8%)
                  • Quality average: 71%
                  • Quality standard deviation: 0%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 56
                  • Number of non-executed functions: 9
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, wermgr.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                  • Excluded IPs from analysis (whitelisted): 52.255.188.83, 13.64.90.137, 51.104.139.180, 40.88.32.150, 92.122.213.194, 92.122.213.247, 8.253.204.120, 8.253.95.249, 67.27.159.254, 67.27.233.254, 8.248.149.254, 20.54.26.129, 52.155.217.156, 20.190.129.130, 20.190.129.19, 40.126.1.145, 40.126.1.128, 40.126.1.130, 20.190.129.133, 20.190.129.24, 20.190.129.17, 52.147.198.201, 51.104.144.132
                  • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, dub2.current.a.prd.aadg.trafficmanager.net, blobcollector.events.data.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/339176/sample/SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  16:44:28API Interceptor1052x Sleep call for process: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  199.193.7.228DHL-Address.xlsxGet hashmaliciousBrowse
                    shipping-document.xlsxGet hashmaliciousBrowse
                      iVUeQOg6LO.exeGet hashmaliciousBrowse
                        SecuriteInfo.com.Generic.mg.e92f0e2d08762687.exeGet hashmaliciousBrowse
                          DHL-document.xlsxGet hashmaliciousBrowse
                            wCRnCAMZ3yT8BQ2.exeGet hashmaliciousBrowse
                              Mj1eX5GWJxDRnuk.exeGet hashmaliciousBrowse
                                SecuriteInfo.com.Trojan.Inject4.6535.8815.exeGet hashmaliciousBrowse
                                  shipping document.xlsxGet hashmaliciousBrowse
                                    SecuriteInfo.com.Trojan.Inject4.6512.28917.exeGet hashmaliciousBrowse
                                      p72kooG5ak.exeGet hashmaliciousBrowse
                                        additional items.xlsxGet hashmaliciousBrowse
                                          swift copy 1f354972.exeGet hashmaliciousBrowse
                                            DB_DHL_AWB_00117980920AD.exeGet hashmaliciousBrowse
                                              Payment Advice - Advice Ref[G20376302776].pptx.exeGet hashmaliciousBrowse
                                                Payment Reminder & SOA 202020121158.exeGet hashmaliciousBrowse
                                                  kg.exeGet hashmaliciousBrowse
                                                    logo.exeGet hashmaliciousBrowse
                                                      Pictures.exeGet hashmaliciousBrowse
                                                        7iZX0KCH4C.exeGet hashmaliciousBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          smtp.privateemail.comDHL-Address.xlsxGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          shipping-document.xlsxGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          iVUeQOg6LO.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          SecuriteInfo.com.Generic.mg.e92f0e2d08762687.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          DHL-document.xlsxGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          wCRnCAMZ3yT8BQ2.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          Mj1eX5GWJxDRnuk.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          SecuriteInfo.com.Trojan.Inject4.6535.8815.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          shipping document.xlsxGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          SecuriteInfo.com.Trojan.Inject4.6512.28917.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          p72kooG5ak.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          additional items.xlsxGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          swift copy 1f354972.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          DB_DHL_AWB_00117980920AD.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          Payment Advice - Advice Ref[G20376302776].pptx.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          Payment Reminder & SOA 202020121158.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          kg.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          logo.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          Pictures.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          PO48905232020.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          NAMECHEAP-NETUSDHL-Address.xlsxGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          New FedEx paper work review.exeGet hashmaliciousBrowse
                                                          • 198.54.122.60
                                                          PO-000202112.exeGet hashmaliciousBrowse
                                                          • 63.250.34.114
                                                          urgent specification request.exeGet hashmaliciousBrowse
                                                          • 198.54.117.210
                                                          g2fUeYQ7Rh.exeGet hashmaliciousBrowse
                                                          • 198.54.117.210
                                                          shipping-document.xlsxGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          Project review_Pdf.exeGet hashmaliciousBrowse
                                                          • 198.54.117.215
                                                          iVUeQOg6LO.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          mscthef-Fichero-ES.msiGet hashmaliciousBrowse
                                                          • 162.255.118.194
                                                          SecuriteInfo.com.Generic.mg.e92f0e2d08762687.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          Purchase Order -263.exeGet hashmaliciousBrowse
                                                          • 162.0.232.59
                                                          Duty checklist and PTP letter.exeGet hashmaliciousBrowse
                                                          • 162.255.119.136
                                                          zz4osC4FRa.exeGet hashmaliciousBrowse
                                                          • 162.0.238.245
                                                          0XrD9TsGUr.exeGet hashmaliciousBrowse
                                                          • 198.54.117.216
                                                          DHL-document.xlsxGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          RFQ 41680.xlsxGet hashmaliciousBrowse
                                                          • 198.54.117.211
                                                          Invoice.exeGet hashmaliciousBrowse
                                                          • 162.213.255.55
                                                          wCRnCAMZ3yT8BQ2.exeGet hashmaliciousBrowse
                                                          • 199.193.7.228
                                                          INV2680371456-20210111889374.xlsmGet hashmaliciousBrowse
                                                          • 68.65.122.35
                                                          INV8073565781-20210111319595.xlsmGet hashmaliciousBrowse
                                                          • 198.54.125.162

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe.log
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.355304211458859
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                          MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                          SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                          SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                          SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                          Malicious:true
                                                          Reputation:moderate, very likely benign file
                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                          C:\Users\user\AppData\Roaming\jebez5tq.lzt\Chrome\Default\Cookies
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.7006690334145785
                                                          Encrypted:false
                                                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                          MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                          SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                          SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                          SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.300736524263088
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Windows Screen Saver (13104/52) 0.07%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          File name:SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
                                                          File size:843776
                                                          MD5:b232b5c7754d932b07c0d47f934efbfe
                                                          SHA1:7c3d92552f6ebab8956727beecaac5d22c87a55b
                                                          SHA256:3311cea59262b019a69fb72b72a36fc8e55d48a0f14f853b3a52fc8740542e99
                                                          SHA512:4e3abe570fa413fb74b1efcf56560d5275cbcaf8217779e46dc65e13c2185c23f0be2b01b91dcb5aead24c6f68e8f84b432b7efba87f2cc835bfa2848a406740
                                                          SSDEEP:12288:8XT4rp65D+SL7y7INIIdGZMonTVA2Wsa8tpJKS:VhSJNILZn62WJ8td
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P.............>.... ........@.. .......................@............@................................

                                                          File Icon

                                                          Icon Hash:00828e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4cf43e
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x5FFEB6D9 [Wed Jan 13 09:01:13 2021 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:v4.0.30319
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xcf3ec0x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd00000x5c4.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000xcd4440xcd600False0.697408275639data7.3067407255IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xd00000x5c40x600False0.421875data4.12609636513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xd20000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_VERSION0xd00900x334data
                                                          RT_MANIFEST0xd03d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Version Infos

                                                          DescriptionData
                                                          Translation0x0000 0x04b0
                                                          LegalCopyrightCopyright 2011
                                                          Assembly Version1.0.0.0
                                                          InternalNameDESCUNION.exe
                                                          FileVersion1.0.0.0
                                                          CompanyName
                                                          LegalTrademarks
                                                          Comments
                                                          ProductNameFileReplacement
                                                          ProductVersion1.0.0.0
                                                          FileDescriptionFileReplacement
                                                          OriginalFilenameDESCUNION.exe

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 13, 2021 16:46:11.757272005 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:11.948328018 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:11.948523998 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:12.142493963 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:12.142971039 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:12.333554983 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:12.333998919 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:12.334683895 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:12.525620937 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:12.566602945 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:12.609807968 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:12.800419092 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:12.802321911 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:12.802376986 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:12.802535057 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:12.802803040 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:12.847980976 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:12.993083954 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:13.036071062 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:13.226752043 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:13.227642059 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:13.227680922 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:13.227817059 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:13.500853062 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:13.691303015 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:13.697016001 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:13.698837996 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:13.889292002 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:13.895484924 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:13.896471977 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:14.087001085 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:14.090814114 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:14.091847897 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:14.282464981 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:14.283643007 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:14.284425974 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:14.474961042 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:14.507121086 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:14.507625103 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:14.698227882 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:14.699042082 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:14.701308966 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:14.701559067 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:14.702471972 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:14.702558994 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:14.891746044 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:14.891773939 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:14.892991066 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:14.893054962 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:14.904805899 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:14.957734108 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:16.780534983 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:16.971262932 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:16.971898079 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:16.971944094 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:16.972031116 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:17.930212021 CET49778587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:18.120556116 CET58749778199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:18.413789988 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:18.604154110 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:18.604260921 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:18.802757025 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:18.803105116 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:18.993189096 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:18.993951082 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:18.994271994 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:19.184335947 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:19.185312986 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:19.375399113 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:19.375586033 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:19.375633955 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:19.375828028 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:19.378537893 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:19.380388975 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:19.568555117 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:19.568856001 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:19.570337057 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:19.570744991 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:19.571544886 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:19.761825085 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:19.762775898 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:19.764028072 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:20.067236900 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:20.411036015 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:20.960117102 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:20.960897923 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:21.150852919 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:21.157138109 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:21.157592058 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:21.347753048 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:21.380951881 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:21.381484985 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:21.571430922 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:21.574239016 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:21.576109886 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:21.576283932 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:21.576421022 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:21.576558113 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:21.766364098 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:21.766382933 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:21.766391039 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:21.766402006 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:21.766529083 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:21.956463099 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:21.970341921 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:22.020515919 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:37.210175037 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:37.211849928 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:46:52.401763916 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:46:52.402344942 CET49779587192.168.2.4199.193.7.228
                                                          Jan 13, 2021 16:47:07.591764927 CET58749779199.193.7.228192.168.2.4
                                                          Jan 13, 2021 16:47:07.591839075 CET49779587192.168.2.4199.193.7.228

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 13, 2021 16:44:17.688914061 CET6454953192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:17.737062931 CET53645498.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:18.491009951 CET6315353192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:18.538971901 CET53631538.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:19.322529078 CET5299153192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:19.370450974 CET53529918.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:20.486376047 CET5370053192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:20.534308910 CET53537008.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:21.909039021 CET5172653192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:21.957000017 CET53517268.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:22.688029051 CET5679453192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:22.744488955 CET53567948.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:23.588207960 CET5653453192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:23.636066914 CET53565348.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:24.724006891 CET5662753192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:24.774846077 CET53566278.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:25.591173887 CET5662153192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:25.641993999 CET53566218.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:26.984771013 CET6311653192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:27.033406973 CET53631168.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:29.066828012 CET6407853192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:29.117539883 CET53640788.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:46.950552940 CET6480153192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:46.998497963 CET53648018.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:50.241781950 CET6172153192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:50.289705992 CET53617218.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:51.028373957 CET5125553192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:51.079880953 CET53512558.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:51.862539053 CET6152253192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:51.913247108 CET53615228.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:44:52.190464020 CET5233753192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:44:52.247957945 CET53523378.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:07.352602005 CET5504653192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:07.400609970 CET53550468.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:07.570275068 CET4961253192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:07.618177891 CET53496128.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:10.204570055 CET4928553192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:10.276086092 CET53492858.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:10.574723005 CET5060153192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:10.633799076 CET53506018.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:11.261090040 CET6087553192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:11.320754051 CET53608758.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:11.922899008 CET5644853192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:11.979140043 CET53564488.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:12.408426046 CET5917253192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:12.467674017 CET53591728.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:12.913372993 CET6242053192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:12.969984055 CET53624208.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:13.490417957 CET6057953192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:13.547166109 CET53605798.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:14.096458912 CET5018353192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:14.152939081 CET53501838.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:14.992047071 CET6153153192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:15.051367998 CET53615318.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:15.886110067 CET4922853192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:15.946121931 CET53492288.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:16.387881994 CET5979453192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:16.444397926 CET53597948.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:23.680166960 CET5591653192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:23.737891912 CET53559168.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:51.966533899 CET5275253192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:52.017374992 CET53527528.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:52.530791998 CET6054253192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:52.581692934 CET53605428.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:56.850696087 CET6068953192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:56.898529053 CET53606898.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:45:58.814208984 CET6420653192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:45:58.862072945 CET53642068.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:46:11.575026035 CET5090453192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:46:11.631670952 CET53509048.8.8.8192.168.2.4
                                                          Jan 13, 2021 16:46:18.354671001 CET5752553192.168.2.48.8.8.8
                                                          Jan 13, 2021 16:46:18.411058903 CET53575258.8.8.8192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Jan 13, 2021 16:46:11.575026035 CET192.168.2.48.8.8.80xeba4Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)
                                                          Jan 13, 2021 16:46:18.354671001 CET192.168.2.48.8.8.80xeef1Standard query (0)smtp.privateemail.comA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Jan 13, 2021 16:45:52.017374992 CET8.8.8.8192.168.2.40x49b6No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                          Jan 13, 2021 16:46:11.631670952 CET8.8.8.8192.168.2.40xeba4No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)
                                                          Jan 13, 2021 16:46:18.411058903 CET8.8.8.8192.168.2.40xeef1No error (0)smtp.privateemail.com199.193.7.228A (IP address)IN (0x0001)

                                                          SMTP Packets

                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                          Jan 13, 2021 16:46:12.142493963 CET58749778199.193.7.228192.168.2.4220 PrivateEmail.com Mail Node
                                                          Jan 13, 2021 16:46:12.142971039 CET49778587192.168.2.4199.193.7.228EHLO 585948
                                                          Jan 13, 2021 16:46:12.333998919 CET58749778199.193.7.228192.168.2.4250-MTA-06.privateemail.com
                                                          250-PIPELINING
                                                          250-SIZE 81788928
                                                          250-ETRN
                                                          250-AUTH PLAIN LOGIN
                                                          250-ENHANCEDSTATUSCODES
                                                          250-8BITMIME
                                                          250 STARTTLS
                                                          Jan 13, 2021 16:46:12.334683895 CET49778587192.168.2.4199.193.7.228STARTTLS
                                                          Jan 13, 2021 16:46:12.525620937 CET58749778199.193.7.228192.168.2.4220 Ready to start TLS
                                                          Jan 13, 2021 16:46:18.802757025 CET58749779199.193.7.228192.168.2.4220 PrivateEmail.com Mail Node
                                                          Jan 13, 2021 16:46:18.803105116 CET49779587192.168.2.4199.193.7.228EHLO 585948
                                                          Jan 13, 2021 16:46:18.993951082 CET58749779199.193.7.228192.168.2.4250-MTA-06.privateemail.com
                                                          250-PIPELINING
                                                          250-SIZE 81788928
                                                          250-ETRN
                                                          250-AUTH PLAIN LOGIN
                                                          250-ENHANCEDSTATUSCODES
                                                          250-8BITMIME
                                                          250 STARTTLS
                                                          Jan 13, 2021 16:46:18.994271994 CET49779587192.168.2.4199.193.7.228STARTTLS
                                                          Jan 13, 2021 16:46:19.184335947 CET58749779199.193.7.228192.168.2.4220 Ready to start TLS

                                                          Code Manipulations

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 7164 Parent PID: 5776

                                                          General

                                                          Start time:16:44:22
                                                          Start date:13/01/2021
                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe'
                                                          Imagebase:0x610000
                                                          File size:843776 bytes
                                                          MD5 hash:B232B5C7754D932B07C0D47F934EFBFE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.667526468.0000000003A49000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.666339476.0000000002A41000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 6108 Parent PID: 7164

                                                          General

                                                          Start time:16:44:29
                                                          Start date:13/01/2021
                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
                                                          Imagebase:0x40000
                                                          File size:843776 bytes
                                                          MD5 hash:B232B5C7754D932B07C0D47F934EFBFE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 3152 Parent PID: 7164

                                                          General

                                                          Start time:16:44:29
                                                          Start date:13/01/2021
                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe
                                                          Imagebase:0xc70000
                                                          File size:843776 bytes
                                                          MD5 hash:B232B5C7754D932B07C0D47F934EFBFE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.998174021.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.999750695.0000000003081000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >

                                                            Analysis Process: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 7164 Parent PID: 5776 SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCOMMON

                                                            Executed Functions

                                                            Function 05C1A8F4, Relevance: 3.8, Strings: 3, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %$.$5
                                                            • API String ID: 0-1977295215
                                                            • Opcode ID: 955357495e1d9e53f8e80acfcfdcabe26638ad134b301125b1987c4df015992f
                                                            • Instruction ID: 635d762ead62891ef0aa0973b825dfbbe4488670e55e7c699229a31fa3e590a5
                                                            • Opcode Fuzzy Hash: 955357495e1d9e53f8e80acfcfdcabe26638ad134b301125b1987c4df015992f
                                                            • Instruction Fuzzy Hash: 7A210370906268CFDB20CFA4DD88BE8B7B1BB46302F1094D5D909A7250C7348EC4DF49
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C1BE3C, Relevance: .5, Instructions: 501COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 656f61ec45b482c097b76e0b76689ea56b9d96f4e1ec1fa411b5e00c10ec95a9
                                                            • Instruction ID: e1cda82c1b31e33f835f3befe3174b6c37205a9cb9fcb5a055040ccb6931877d
                                                            • Opcode Fuzzy Hash: 656f61ec45b482c097b76e0b76689ea56b9d96f4e1ec1fa411b5e00c10ec95a9
                                                            • Instruction Fuzzy Hash: FBE1DD317407118FDB29DBB5C450BAEB7F6AF8A304F248869E546DB290CB35EE01DB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C1B540, Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 537ac9ed0109383f7f6175824169bac313fa7d70157badb6028890d5eb317c46
                                                            • Instruction ID: 4c669f58ef15c3b8ac3364abaad5295f2598e0b2ce9967bf056a246eab134c96
                                                            • Opcode Fuzzy Hash: 537ac9ed0109383f7f6175824169bac313fa7d70157badb6028890d5eb317c46
                                                            • Instruction Fuzzy Hash: 25115A70D04218CBCB148FA5C418BEEBBF1BB4E319F155869D841B3291C7749A44EF68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0111BAD9, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0111BB48
                                                            • GetCurrentThread.KERNEL32 ref: 0111BB85
                                                            • GetCurrentProcess.KERNEL32 ref: 0111BBC2
                                                            • GetCurrentThreadId.KERNEL32 ref: 0111BC1B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.666143170.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 02e0c20a53b211f09ea178e8af099ce9bdad5214054d5f02214991002f73109f
                                                            • Instruction ID: a96ecabd2a119c9c5baa482fb713997a322981cfac806a0ecacc4f87900f1f47
                                                            • Opcode Fuzzy Hash: 02e0c20a53b211f09ea178e8af099ce9bdad5214054d5f02214991002f73109f
                                                            • Instruction Fuzzy Hash: B15147B09046448FDB14CFAAD9887EEBBF1FF48304F208469E009A7765DB749949CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0111BAE8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0111BB48
                                                            • GetCurrentThread.KERNEL32 ref: 0111BB85
                                                            • GetCurrentProcess.KERNEL32 ref: 0111BBC2
                                                            • GetCurrentThreadId.KERNEL32 ref: 0111BC1B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.666143170.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: b5743bf657d152046b49f651ae614cccc2c1c34127ee96319b08ec87a67cb93d
                                                            • Instruction ID: f8d91fd0b497fbe632ed1957d7e1281b3e862df172ffc77004952e0f28ff2c28
                                                            • Opcode Fuzzy Hash: b5743bf657d152046b49f651ae614cccc2c1c34127ee96319b08ec87a67cb93d
                                                            • Instruction Fuzzy Hash: 785157B09042488FDB14CFAAD948BEEBBF1FF48314F108469E409A7364DB749845CF69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C189D4, Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05C18C16
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 82888be8442fe11e9b08c0b3fcc444070b38fee659a4ded2f2a2e189a9cf893c
                                                            • Instruction ID: 84579df54de99de0d6e9bfc45c58b3fca94559b5f7a2c22b29a701955597633b
                                                            • Opcode Fuzzy Hash: 82888be8442fe11e9b08c0b3fcc444070b38fee659a4ded2f2a2e189a9cf893c
                                                            • Instruction Fuzzy Hash: AC91AD71D04219DFDB20CF68CD41BEEBBB2BF49304F148969D809A7280DB749A86DF95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C189E0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05C18C16
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 888eb376e48ae06ad7c329cb50caf168d7120c818ddcfdccde45be842c9b280f
                                                            • Instruction ID: 09eb0bfaffd4c3752fa572d399adee70c7e9d49f2d4ff94a3abc0fe6d30504f1
                                                            • Opcode Fuzzy Hash: 888eb376e48ae06ad7c329cb50caf168d7120c818ddcfdccde45be842c9b280f
                                                            • Instruction Fuzzy Hash: 8291AD71D04219DFDB20CF68CD41BEEBBB2BF49314F048969D809A7280DB749A85CF95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 011197F0, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01119A36
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.666143170.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 4bfcbeafbe357c07fa8262271a8579b3ff298021211d1fd1084593d7a07658b1
                                                            • Instruction ID: 6082073a241cde154c09ae031420a4c8d6daa25d9be73080a426705e35393f9d
                                                            • Opcode Fuzzy Hash: 4bfcbeafbe357c07fa8262271a8579b3ff298021211d1fd1084593d7a07658b1
                                                            • Instruction Fuzzy Hash: 397148B0A00B098FDB28DF6AD05479ABBF1FF88218F00892DD55AD7A14D775E909CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C18750, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05C187E8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 2e3e2b7c268df8b6f350c9396010074cbb29232518e1ff5b9556382022e6bd85
                                                            • Instruction ID: c22822e9b95359e8590fcc5eb93fadd90a38f2b91b34221a658e04d514c3a7de
                                                            • Opcode Fuzzy Hash: 2e3e2b7c268df8b6f350c9396010074cbb29232518e1ff5b9556382022e6bd85
                                                            • Instruction Fuzzy Hash: F52135719042599FCF10CFA9C8857EEBBF1FF48314F10882AE959A7240C7789945CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C18758, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05C187E8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 0f553ead03263c5c37a68fde397711bf61cd547616874aa1f4a9751e3e8397cc
                                                            • Instruction ID: 1a489391e4ab0b84884d4b3502054d3be0c3c6bbc256c191efa3222d029e79c8
                                                            • Opcode Fuzzy Hash: 0f553ead03263c5c37a68fde397711bf61cd547616874aa1f4a9751e3e8397cc
                                                            • Instruction Fuzzy Hash: E52127719043599FCF10CFA9C8857EEBBF5FF48314F10842AE919A7250CB78A945CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C185B8, Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 05C1863E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: ContextThread
                                                            • String ID:
                                                            • API String ID: 1591575202-0
                                                            • Opcode ID: 1a81ebfb97ad9acbaceffafe73b58265175edc5cef9959fe54d64bdb9f1380ca
                                                            • Instruction ID: 5e6717cdadf733f1736c2e4dcf75c441fc8d20d386ffabe64aa08802d3155f6b
                                                            • Opcode Fuzzy Hash: 1a81ebfb97ad9acbaceffafe73b58265175edc5cef9959fe54d64bdb9f1380ca
                                                            • Instruction Fuzzy Hash: 3F2159719042498FDB50CFAAC4857EEBBF0FF88354F10842AD459A7240CB78A649CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C18841, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C188C8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 1fb74c3dbf7041ff346a92892255a28789c3f1bf76e05fe5a670cefa22281e84
                                                            • Instruction ID: 10a183f16e8d8d4b00ef1c47e92de65d2c28c6cf3fb132784fc9948e91a72ee6
                                                            • Opcode Fuzzy Hash: 1fb74c3dbf7041ff346a92892255a28789c3f1bf76e05fe5a670cefa22281e84
                                                            • Instruction Fuzzy Hash: A92116B1D002599FDB10CFAAC8816EEBBF1FF48314F11842AE559A7250C778A545CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C185C0, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 05C1863E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: ContextThread
                                                            • String ID:
                                                            • API String ID: 1591575202-0
                                                            • Opcode ID: 4515bec081386125d99457ba47fdce29aae40a00eea2591f8c79485209d094fe
                                                            • Instruction ID: 58dd67bd336f2c976fe8c00d046971685378ce9ff420e9d8693de6f9a6fe1103
                                                            • Opcode Fuzzy Hash: 4515bec081386125d99457ba47fdce29aae40a00eea2591f8c79485209d094fe
                                                            • Instruction Fuzzy Hash: 032149719043088FDB50CFAAC4857EEBBF4FF49364F14842AD919A7240CB78A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C18848, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C188C8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: a459a3932fb29e2cdeca1dc17c19b7af85cab808acd6f6c2e6cb7805d3f3222c
                                                            • Instruction ID: 10f61d9abb14551c739a5abbda80e2a3584ed2a01474fc7699122ae9d01d4a67
                                                            • Opcode Fuzzy Hash: a459a3932fb29e2cdeca1dc17c19b7af85cab808acd6f6c2e6cb7805d3f3222c
                                                            • Instruction Fuzzy Hash: 092128B19043599FCF10CFAAC8807EEBBF5FF48314F10842AE919A7250C7789945CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0111BD10, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0111BD97
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.666143170.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 85ba1df80ac15392c409a961e673635c5a6a2367de71f0842ee4b9769d84083a
                                                            • Instruction ID: 43a7c0f25dd00ea2ae65ca10a14266ddda6b7aec836824cc3501b4cb2ca82f30
                                                            • Opcode Fuzzy Hash: 85ba1df80ac15392c409a961e673635c5a6a2367de71f0842ee4b9769d84083a
                                                            • Instruction Fuzzy Hash: E921E4B5900258AFDF10CFAAD884ADEFBF4FB48324F14841AE914A3310D378A945CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0111BD0F, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0111BD97
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.666143170.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 9d1da9f0f3737a543ba07bb1572cbbd376cab8e34ed1cf467a9ef0a2c1d121aa
                                                            • Instruction ID: c3904e3017a2ff657c9edb159c060fd1f96a55aa45e4d924c7cf19a43cc66422
                                                            • Opcode Fuzzy Hash: 9d1da9f0f3737a543ba07bb1572cbbd376cab8e34ed1cf467a9ef0a2c1d121aa
                                                            • Instruction Fuzzy Hash: 5521E3B5900258AFDB10CFA9D884ADEBBF4EB48324F14841AE914A7310D378A945CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C18690, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05C18706
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 79f4ddeb07a679f14b297962cdfbe713d4b1750e906b2f72e9324e0e3d433929
                                                            • Instruction ID: 8af4f882bdd824fd0f07d866434bce9dc4e88e5d38e916487e853a9313d4e75c
                                                            • Opcode Fuzzy Hash: 79f4ddeb07a679f14b297962cdfbe713d4b1750e906b2f72e9324e0e3d433929
                                                            • Instruction Fuzzy Hash: 021144719042498FDB20DFA9C845BEEBBF5EB88324F10881AE569A7210C775A545CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01119240, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01119AB1,00000800,00000000,00000000), ref: 01119CC2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.666143170.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: edb7ef580144fab28cc1a2a581fde5f362e7452416f39efa62c86156cb5d3516
                                                            • Instruction ID: 4ab5e470e4315919364d769f18ddac75685a047d10d4878933d24b984ecd8811
                                                            • Opcode Fuzzy Hash: edb7ef580144fab28cc1a2a581fde5f362e7452416f39efa62c86156cb5d3516
                                                            • Instruction Fuzzy Hash: 151117B29043489FDB14CF9AC844BDEFBF4EB58314F00842AD565A7600C775A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C18698, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05C18706
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 286e7eaf89fe9e28b9d2a970fb4aa394994a9f099e79e024291651c3c07a9213
                                                            • Instruction ID: 01e2834a315472e5433167a482861f191b54ce328354f4596979b64b5e4bcb79
                                                            • Opcode Fuzzy Hash: 286e7eaf89fe9e28b9d2a970fb4aa394994a9f099e79e024291651c3c07a9213
                                                            • Instruction Fuzzy Hash: EA1137719042489FCF10DFAAC8447EFBBF5EF89324F148819E515A7250C775A945CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01119C57, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01119AB1,00000800,00000000,00000000), ref: 01119CC2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.666143170.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 9df915e5ce2275ddfc0e5fc06eb551bd4ee92c4d469a0b2ef54585034db0bc02
                                                            • Instruction ID: 232588c3038a207e5817f108bc3f02ea165c36e1f3d28ea3c259e60f51646054
                                                            • Opcode Fuzzy Hash: 9df915e5ce2275ddfc0e5fc06eb551bd4ee92c4d469a0b2ef54585034db0bc02
                                                            • Instruction Fuzzy Hash: 571123B29002488FDB14CF9AD844BDEFBF4EB88324F00842AD469A7600C378A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C18508, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: ff79f9c0f15a3d5be0cd55761b9bde830f4e3da949d089e41ba101dbf983c378
                                                            • Instruction ID: fd87e14a5522b971811ac3222af338204912f3b1a021d83a3a40831f1ccfd2c7
                                                            • Opcode Fuzzy Hash: ff79f9c0f15a3d5be0cd55761b9bde830f4e3da949d089e41ba101dbf983c378
                                                            • Instruction Fuzzy Hash: F7115871D042498FDB20CFAAD4857EEFBF5EF88224F14881ED469A7210CB78A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C18510, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: acbf4caffa9e07100e6a93505e55aed4b11f8fc4168e671af5422808268109be
                                                            • Instruction ID: f0b85930a35a6f5a7c69fe198dc7321ced11633ec46487563d3f4e17637dccdf
                                                            • Opcode Fuzzy Hash: acbf4caffa9e07100e6a93505e55aed4b11f8fc4168e671af5422808268109be
                                                            • Instruction Fuzzy Hash: E5113A71D043488BDB10DFAAC8457EEFBF5EB89224F14841AD519A7250CB78A945CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 011199D0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01119A36
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.666143170.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: cdee6f9da159e9916d5e8ee2e4f8f0814c84f59290e965004f4aef0376b4ad3d
                                                            • Instruction ID: 3dc8821b557c639ffa3eb3417590d3c50f758d6b72f5ae1a4e763168b405a2a4
                                                            • Opcode Fuzzy Hash: cdee6f9da159e9916d5e8ee2e4f8f0814c84f59290e965004f4aef0376b4ad3d
                                                            • Instruction Fuzzy Hash: 3111E3B6D007498FDF14CF9AD844BDEFBF4AB88224F14842AD429B7600C374A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C1B220, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,?,?,?), ref: 05C1B27D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: cefb7d5a8e33f82f2cb37c60e02fde1a193853ac9ddbc42364ac23404da5a2d4
                                                            • Instruction ID: 5cd29c528f4a32b4da35ce1e7da966c71fed79594effe34781014d6bfb59a121
                                                            • Opcode Fuzzy Hash: cefb7d5a8e33f82f2cb37c60e02fde1a193853ac9ddbc42364ac23404da5a2d4
                                                            • Instruction Fuzzy Hash: AA1112B5800348DFDB10CF9AD885BDEBBF8FB58324F10841AE818A7600C374A944CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C1B219, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,?,?,?), ref: 05C1B27D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: 816a498f3d433383beeb5b1e3a7891ee9b91e6026498813edb358c1c16d4d8b8
                                                            • Instruction ID: 12529e57cae350374c9699194aa9cbaf886964801b9cae0380ca87934dd4d62e
                                                            • Opcode Fuzzy Hash: 816a498f3d433383beeb5b1e3a7891ee9b91e6026498813edb358c1c16d4d8b8
                                                            • Instruction Fuzzy Hash: B711F2B5800359DFDB10CF99D985BDEBBF4FB58324F10841AD858A7600C374A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0111E8A0, Relevance: .3, Instructions: 315COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.666143170.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b8fc074f327d0c99a40dbdd8fcf8785b5c862f0699e70b34a1bb4cbe915de785
                                                            • Instruction ID: a899ea876b9eb944e9be4cb2775d814fda6004192336fb0f57ecdc971eff6200
                                                            • Opcode Fuzzy Hash: b8fc074f327d0c99a40dbdd8fcf8785b5c862f0699e70b34a1bb4cbe915de785
                                                            • Instruction Fuzzy Hash: F012E6F94017468AD730CF66ED981893BE1B745B2CF984A08D2E11FAE9D7BE114ACF44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0111C62C, Relevance: .3, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.666143170.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01a012a6f2c8a17ceea0565c277d096cffdea9ac4be13ec4548eb8cca6b2c2e1
                                                            • Instruction ID: 6ffa081794a02e3e903098902a23d7846df664d70c8201b5a374da5375c74f39
                                                            • Opcode Fuzzy Hash: 01a012a6f2c8a17ceea0565c277d096cffdea9ac4be13ec4548eb8cca6b2c2e1
                                                            • Instruction Fuzzy Hash: 60A18E32E0061ACFCF19DFA5D8445EDFBB2FF88300B15857AE905AB225DB71A945CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C16DC8, Relevance: .3, Instructions: 252COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6070fd719b29f15f906837c8b1144ab037dcab329aba2e944997a7f7dc481aca
                                                            • Instruction ID: a043dd5bd88b312f01f3a46bba81c28c6909f8adb1517c442b1ad3eff6953d52
                                                            • Opcode Fuzzy Hash: 6070fd719b29f15f906837c8b1144ab037dcab329aba2e944997a7f7dc481aca
                                                            • Instruction Fuzzy Hash: 39B14374E04258CFDB10CFE9C584AADBBF2BF4A304F24D669D809A7241DB349981CF59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0111E890, Relevance: .2, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.666143170.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cbbeefdd945a1175b369682a9abb5c8797a2c0dcb9155077b7f434b52f64afda
                                                            • Instruction ID: 231c21522750eb8e9023cfb42c7654fe159764a0f05e5746b392bd5fb09e4eda
                                                            • Opcode Fuzzy Hash: cbbeefdd945a1175b369682a9abb5c8797a2c0dcb9155077b7f434b52f64afda
                                                            • Instruction Fuzzy Hash: 51C11DB99117468BD720CF66EC881897BF1FB85B2CF584A08D2A12F6D9D7BE1046CF44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0111E89F, Relevance: .2, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.666143170.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8d2d53212d255ac5a618d7703002a70d89a0b87b381ea4893a615a02ed48ba67
                                                            • Instruction ID: ed80d698d9d666d594e259713cc58511de787603d6eb4a5ef2668697909f8494
                                                            • Opcode Fuzzy Hash: 8d2d53212d255ac5a618d7703002a70d89a0b87b381ea4893a615a02ed48ba67
                                                            • Instruction Fuzzy Hash: 22C10DB98117468AD720CF66EC981897BF1FB85B2CF584A08D2A12F6D9D7BE1046CF44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C16DB8, Relevance: .2, Instructions: 213COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dd4ef5661bccd4ff98528b5d183ccb041429fbefcb9a6a86c7010e721f936854
                                                            • Instruction ID: 66d8aa9cc5b3fbf1b1fbf8395fb0740c0ba99a0ed3268198486ec7d5bbc9c450
                                                            • Opcode Fuzzy Hash: dd4ef5661bccd4ff98528b5d183ccb041429fbefcb9a6a86c7010e721f936854
                                                            • Instruction Fuzzy Hash: A1913474E04258CFDB14CFA9C584AADBBF2BF49304F24D56AD809A7241EB349A81CF19
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C10B59, Relevance: .1, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 47c1a1a8cede0b7ce39dfe7130f5408adc0b70340a6fa9c6edd38d37dd81e16d
                                                            • Instruction ID: 86ee2681dda7b897d0162364e58cc5127ab76fb9547742a631fb57132f18c94e
                                                            • Opcode Fuzzy Hash: 47c1a1a8cede0b7ce39dfe7130f5408adc0b70340a6fa9c6edd38d37dd81e16d
                                                            • Instruction Fuzzy Hash: 0F517D74A102889FDB44DFB5E45569EBBF3EF89308F04C829E0159B7A4DFB5190ACB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C10B68, Relevance: .1, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 82ba2fcf36e530dbda15dd550c1ac693152602d82e72aecbc248cb6e8c491d1b
                                                            • Instruction ID: f99b890bc9dbf9c632eb141c46ff11db2f7c472557089b037e1d8ef9d9dc4f28
                                                            • Opcode Fuzzy Hash: 82ba2fcf36e530dbda15dd550c1ac693152602d82e72aecbc248cb6e8c491d1b
                                                            • Instruction Fuzzy Hash: 48516D74A102899FDB44DFA5E45568EBBF3EFC9308F04C829E0159B7A4DFB5190ACB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05C1B550, Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.671370955.0000000005C10000.00000040.00000001.sdmp, Offset: 05C10000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 675a594245a32fe9ec2c1d61268e64340ca8786d768049143baea5cda9b4c9f8
                                                            • Instruction ID: 65ad37586abaa1fb496980d199ce9e695c02314c1ff06cd32997824a62562b74
                                                            • Opcode Fuzzy Hash: 675a594245a32fe9ec2c1d61268e64340ca8786d768049143baea5cda9b4c9f8
                                                            • Instruction Fuzzy Hash: 81015670D042588FCB04CFAAC408BEDBBF1BB4E305F08946AD841B3290D7789A84DF68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exe PID: 3152 Parent PID: 7164 SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeCOMMON

                                                            Executed Functions

                                                            Function 0652C008, Relevance: 9.5, APIs: 1, Strings: 4, Instructions: 704COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1002375687.0000000006520000.00000040.00000001.sdmp, Offset: 06520000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \$\$\$\
                                                            • API String ID: 0-3238275731
                                                            • Opcode ID: 92e6e0cea5d6062d354144fd5b3bb5d524c24a86512151ea7198c7d379204d86
                                                            • Instruction ID: 01ce1370312e909f3791a4712c7191ecfc7c494bc06167b9b186be8e7780ffc6
                                                            • Opcode Fuzzy Hash: 92e6e0cea5d6062d354144fd5b3bb5d524c24a86512151ea7198c7d379204d86
                                                            • Instruction Fuzzy Hash: CC32FE31B002169FDB94AB74CC44BAEB7A6FF85214F248529E5169B3D6EF34DC41CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01246928, Relevance: 2.4, APIs: 1, Instructions: 863COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.998513583.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 08df0ee6221832db2fb9c0c3e692d35bc4f88ca570f7dcc0ae9ab24a9024fbec
                                                            • Instruction ID: 1b51207d4a6b219241743485ecd81bebb519026294dda6157d5d1a245a5e1d9e
                                                            • Opcode Fuzzy Hash: 08df0ee6221832db2fb9c0c3e692d35bc4f88ca570f7dcc0ae9ab24a9024fbec
                                                            • Instruction Fuzzy Hash: 3472E130A1024A8FEB29DF78C4447ADBBA2EF86304F148069D609DF3A6DB74DC45CB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0124BCF0, Relevance: 2.3, APIs: 1, Instructions: 774COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AnimateWindow.USER32(00000001,00000000,00000000,00000000,?,?), ref: 0124C17B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.998513583.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                            Similarity
                                                            • API ID: AnimateWindow
                                                            • String ID:
                                                            • API String ID: 646619712-0
                                                            • Opcode ID: 9e2c9d8e026913d58662f0b043871a4c3962adc04b40fd737bb8c19c5e1ba44b
                                                            • Instruction ID: 7e8e07fda6ad2cf6e0d1008e0f28404cf0c6a45927586158ddf9e205dd253838
                                                            • Opcode Fuzzy Hash: 9e2c9d8e026913d58662f0b043871a4c3962adc04b40fd737bb8c19c5e1ba44b
                                                            • Instruction Fuzzy Hash: FC421231F112069FEB299B7CC8547AE7AB2AF85310F148469E609EF391CB75CC52C792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0652DC38, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1002375687.0000000006520000.00000040.00000001.sdmp, Offset: 06520000, based on PE: false
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 994a9107dd88924d9f1321fa508074222c21659e7320b6b43b357d55867170e4
                                                            • Instruction ID: cfe60690a901f8d7f83062bfa818e19bc90829808be20c6f3efa712dcdfac5bf
                                                            • Opcode Fuzzy Hash: 994a9107dd88924d9f1321fa508074222c21659e7320b6b43b357d55867170e4
                                                            • Instruction Fuzzy Hash: 9A622B31E006298FCB64EF78C85569DB7B2BF89304F1085A9D54AAB355EF34AD81CF81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01246014, Relevance: 2.1, APIs: 1, Instructions: 627COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AnimateWindow.USER32(00000001,00000000,00000000,00000000,?,00000000), ref: 012464A2
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.998513583.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                            Similarity
                                                            • API ID: AnimateWindow
                                                            • String ID:
                                                            • API String ID: 646619712-0
                                                            • Opcode ID: 4fccbe089ed7c48f75482f2428062cd7045024d85c2cb7b4a59f555e6cf1cbca
                                                            • Instruction ID: 5ab124e04a78bdccf113511288cd44e3d70bfd87bd8e383d7c4ae638b3591303
                                                            • Opcode Fuzzy Hash: 4fccbe089ed7c48f75482f2428062cd7045024d85c2cb7b4a59f555e6cf1cbca
                                                            • Instruction Fuzzy Hash: 9832C230A0024A8FEB29DBB8C4547ADBBA2EF86304F24C469D5199F396DB74DC45CB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 016A6B7F, Relevance: 6.1, APIs: 4, Instructions: 139threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 016A6C10
                                                            • GetCurrentThread.KERNEL32 ref: 016A6C4D
                                                            • GetCurrentProcess.KERNEL32 ref: 016A6C8A
                                                            • GetCurrentThreadId.KERNEL32 ref: 016A6CE3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.999335169.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: d8ac378f542f06b2b6556430bf41dee8cbadb25da5186f1ff2e94395b9039431
                                                            • Instruction ID: b8188b2c1040fef85ae7a07743bdf7f4d7e9d6596d9e33f02e14231451117986
                                                            • Opcode Fuzzy Hash: d8ac378f542f06b2b6556430bf41dee8cbadb25da5186f1ff2e94395b9039431
                                                            • Instruction Fuzzy Hash: D95175B0D042898FDB50CFAAC988BEEBFF0EF89314F14849AD549A7251D7345985CF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 016A6BB0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 016A6C10
                                                            • GetCurrentThread.KERNEL32 ref: 016A6C4D
                                                            • GetCurrentProcess.KERNEL32 ref: 016A6C8A
                                                            • GetCurrentThreadId.KERNEL32 ref: 016A6CE3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.999335169.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 3194a2e411fbeacc5fdde908a4a5c46499ae16c94a8e945eb75f1d8d227c7a15
                                                            • Instruction ID: 00471cf247e7cad84f14667726b987d135e77d0bba3755215d5193dc53e04ebc
                                                            • Opcode Fuzzy Hash: 3194a2e411fbeacc5fdde908a4a5c46499ae16c94a8e945eb75f1d8d227c7a15
                                                            • Instruction Fuzzy Hash: EA5165B0D002498FDB54CFAADA48BEEBBF1EF89314F248459E519A7390D7346884CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01246C68, Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DrawCaptionTempA.USER32(00000000,00000000,?,?), ref: 01246F6B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.998513583.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                            Similarity
                                                            • API ID: CaptionDrawTemp
                                                            • String ID:
                                                            • API String ID: 3417575192-0
                                                            • Opcode ID: f5084490aa4cef14b237f7b845d2b22550a3b6a9773111509406a380bfdeecd4
                                                            • Instruction ID: 933111471505fbf5e20df164690fda214db9a8e4ac84c4892ae6b0270b8404c3
                                                            • Opcode Fuzzy Hash: f5084490aa4cef14b237f7b845d2b22550a3b6a9773111509406a380bfdeecd4
                                                            • Instruction Fuzzy Hash: FDC1E631A10249DFCF1ACFA8C844ADDBFB1FF8A310F15806AE945AB352D775A855CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01248310, Relevance: 1.7, APIs: 1, Instructions: 248COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AnimateWindow.USER32(00000001), ref: 0124835E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.998513583.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                            Similarity
                                                            • API ID: AnimateWindow
                                                            • String ID:
                                                            • API String ID: 646619712-0
                                                            • Opcode ID: fd3195edce2f0ce40b5e6fcf188a76f72f10d7df622c05d062319583fcb34e63
                                                            • Instruction ID: 9d467df7a62f1489895ea289b35b62f671ad8247139ba1f196c9a34fcc17abb0
                                                            • Opcode Fuzzy Hash: fd3195edce2f0ce40b5e6fcf188a76f72f10d7df622c05d062319583fcb34e63
                                                            • Instruction Fuzzy Hash: 8C91BE307201169FDB09EFA8C855BAF7BA2EB88244F558428E606DB395DBB1DC41CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0124C032, Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AnimateWindow.USER32(00000001,00000000,00000000,00000000,?,?), ref: 0124C17B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.998513583.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                            Similarity
                                                            • API ID: AnimateWindow
                                                            • String ID:
                                                            • API String ID: 646619712-0
                                                            • Opcode ID: a8884676b3fdbd13e09f19d336327c6f1753f37c6d947c0cb6a6e7e4164e35b6
                                                            • Instruction ID: d293f934cdd651fdc1b83a9ce283e714fe98e3d51aec48b9983c638d670da6a1
                                                            • Opcode Fuzzy Hash: a8884676b3fdbd13e09f19d336327c6f1753f37c6d947c0cb6a6e7e4164e35b6
                                                            • Instruction Fuzzy Hash: 3D81A330F1121A9FEB19DBACC8907ADBBB2AF84304F148468E605AF395DB75DC52CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0652C9D8, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1002375687.0000000006520000.00000040.00000001.sdmp, Offset: 06520000, based on PE: false
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: ba75e16b5bcab1b709445b7203ef9767d769c325039498b960034ad45952223b
                                                            • Instruction ID: cc962df8fa65592d6b446884d5797a4c9792a970880a80b5a1a9a071cf649d80
                                                            • Opcode Fuzzy Hash: ba75e16b5bcab1b709445b7203ef9767d769c325039498b960034ad45952223b
                                                            • Instruction Fuzzy Hash: 9A614F30E0021A9BDB94EFB4D8586AE77B6BF85305F108829D416A7395DF789C45CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0652C748, Relevance: 1.6, APIs: 1, Instructions: 138libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LdrInitializeThunk.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 0652C7A7
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1002375687.0000000006520000.00000040.00000001.sdmp, Offset: 06520000, based on PE: false
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 837fa3980748fe92f39253aca80649dcd3b7f1272008b632bce9db9bfa314829
                                                            • Instruction ID: 2beadef3a1215e5439a8035d400bf818af746e9a4142805238f97ab00e8be960
                                                            • Opcode Fuzzy Hash: 837fa3980748fe92f39253aca80649dcd3b7f1272008b632bce9db9bfa314829
                                                            • Instruction Fuzzy Hash: FD417331B102069FCB54EFB4DC54AAEB7F5BF89204F14892DD512AB295EF34E805CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01246E23, Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.998513583.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6017a6d345c53ca00e9140779d033763c4df380318b3290bb237be0a3ecd5dc7
                                                            • Instruction ID: 6846214fa6d4ba2679bc753a72ad112fcfabfde6fb1710b0cd8f4c56d191978b
                                                            • Opcode Fuzzy Hash: 6017a6d345c53ca00e9140779d033763c4df380318b3290bb237be0a3ecd5dc7
                                                            • Instruction Fuzzy Hash: 2141D731B14249DFCF1ACFA8C844AAEBFF1AF4A310F058155E9469B252D371E925CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 016A51E5, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016A5302
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.999335169.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 2b08c9a2518b9bd9fcd64e46afbb2d8fb24f687445f24ad2ed528fc1a46a6848
                                                            • Instruction ID: 804bdd94f665488e6e3d7d6093c708d8f79c61eaa97b023a5e81e8cb28b0b18c
                                                            • Opcode Fuzzy Hash: 2b08c9a2518b9bd9fcd64e46afbb2d8fb24f687445f24ad2ed528fc1a46a6848
                                                            • Instruction Fuzzy Hash: 4151C2B1D003499FDF14CFA9C880ADEBFB5BF88310F64812AE819AB210D7759985CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0652C928, Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1002375687.0000000006520000.00000040.00000001.sdmp, Offset: 06520000, based on PE: false
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: ae6aa86bbfc931a4d84494f1f2153a1b743def5ad08a46f21c86643b523b44b2
                                                            • Instruction ID: 488812aec5388c04c47e1444680570145e7655a8ba9814ca0b4b958d9344a8e3
                                                            • Opcode Fuzzy Hash: ae6aa86bbfc931a4d84494f1f2153a1b743def5ad08a46f21c86643b523b44b2
                                                            • Instruction Fuzzy Hash: 3B411230A053969FD741CB74D854AAE7BB1BF86308F15C4AAE000AB392CB39DC49CF20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 016A51F0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016A5302
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.999335169.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: cc595331b9e9a7274befa74de9c5118823e39af3ee0eec07b153a8034e17d31a
                                                            • Instruction ID: bd6cfc2bcf63517f62999d8daae7e0b067c903db19c5f165bc91f789123f28e7
                                                            • Opcode Fuzzy Hash: cc595331b9e9a7274befa74de9c5118823e39af3ee0eec07b153a8034e17d31a
                                                            • Instruction Fuzzy Hash: AF41A0B1D003499FDF14CFA9C884ADEBFB5BF88314F64812AE819AB210D7749945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 016A69C4, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 016A7D59
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.999335169.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                            Similarity
                                                            • API ID: CallProcWindow
                                                            • String ID:
                                                            • API String ID: 2714655100-0
                                                            • Opcode ID: a6b0610e0b0e940d47d27461ca6915e23f78d51480d894d61e7f8ea8c22683e6
                                                            • Instruction ID: 1623950a5888cd4f83b1d5799986fdadb883026ecaa87ad38b2c2b19ee7295ea
                                                            • Opcode Fuzzy Hash: a6b0610e0b0e940d47d27461ca6915e23f78d51480d894d61e7f8ea8c22683e6
                                                            • Instruction Fuzzy Hash: CE4138B6A00345DFDB14DF99C888BAABBF5FB88314F14C459D519AB321D735A841CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012437D7, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 01243899
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.998513583.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                            Similarity
                                                            • API ID: QueryValue
                                                            • String ID:
                                                            • API String ID: 3660427363-0
                                                            • Opcode ID: 17dbbbba673f1359d2e125cffe7a4bce7ea878dbf4dd6f54d448741bcc7baae6
                                                            • Instruction ID: 4a9ad1c8c9e736a9682c9389aaf6a813448b7605919829e272787ceebdb6e802
                                                            • Opcode Fuzzy Hash: 17dbbbba673f1359d2e125cffe7a4bce7ea878dbf4dd6f54d448741bcc7baae6
                                                            • Instruction Fuzzy Hash: A141FEB1D102689FDB14CFA9C884ADEFFF5BF48310F14802AE819AB210D7749945CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012437E0, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 01243899
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.998513583.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                            Similarity
                                                            • API ID: QueryValue
                                                            • String ID:
                                                            • API String ID: 3660427363-0
                                                            • Opcode ID: f5fcfb982829f830b9c59922eb45e74b9e41c3eba801294ea85c237b8f170ada
                                                            • Instruction ID: 9a2fe7610607b237659f765bf29ced153392963650802b9915a491ff89487c21
                                                            • Opcode Fuzzy Hash: f5fcfb982829f830b9c59922eb45e74b9e41c3eba801294ea85c237b8f170ada
                                                            • Instruction Fuzzy Hash: D731DDB1D102699FDB14CFAAC884A8EFFF5BF48714F14812AE919AB310D7749945CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012482C8, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AnimateWindow.USER32(00000001), ref: 0124835E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.998513583.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                            Similarity
                                                            • API ID: AnimateWindow
                                                            • String ID:
                                                            • API String ID: 646619712-0
                                                            • Opcode ID: 3df4856a0e86b87e63cad0b16f9dd3029d58123852b6d90f9f3685b1e949cac1
                                                            • Instruction ID: c175136ddb15ad9f0b6e7ce29051354abf965808f26b63eaf4233c26dc85acaa
                                                            • Opcode Fuzzy Hash: 3df4856a0e86b87e63cad0b16f9dd3029d58123852b6d90f9f3685b1e949cac1
                                                            • Instruction Fuzzy Hash: A3212131B30256CFC709DBA8D444BAE7BE2AB85610F158079D606CB351EB71DC41CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01243578, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 0124362C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.998513583.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: 5bd8a1556a96dd3d4b31f726b9dab4f6e320f9766f252ababa420a0605dcfa08
                                                            • Instruction ID: 9f0353a75d924fd8752926b5b53c3100b573ffaa657780aadd738e910802a3e4
                                                            • Opcode Fuzzy Hash: 5bd8a1556a96dd3d4b31f726b9dab4f6e320f9766f252ababa420a0605dcfa08
                                                            • Instruction Fuzzy Hash: 103100B1D012599FDB14CF99C584A8EFFF5BF48314F28816AE808AB340C7759989CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01243577, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 0124362C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.998513583.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: b900337904b74c1b68c48946af99ac995231ca73bda608b8c1d12e0f22d65954
                                                            • Instruction ID: e67385d55398878471bd4f05367fa3ac6dc4647ea53b338b9ec8566eae8f44d7
                                                            • Opcode Fuzzy Hash: b900337904b74c1b68c48946af99ac995231ca73bda608b8c1d12e0f22d65954
                                                            • Instruction Fuzzy Hash: F7310FB1D012599FDB04CF99C584A8EFBF5BF48314F28856AE408AB344C7759989CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 016A6DD1, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016A6E5F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.999335169.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: a512bbff5f3b64dbbf9bafbc88925344eeaaa86768e3dafdaa930b09c8ff5bbc
                                                            • Instruction ID: f537ad3675670823999fa08c5ee345859d7a8913ddf048beea9e6fe32379aca2
                                                            • Opcode Fuzzy Hash: a512bbff5f3b64dbbf9bafbc88925344eeaaa86768e3dafdaa930b09c8ff5bbc
                                                            • Instruction Fuzzy Hash: CA21E0B5900248AFDB10CFA9D884AEEBBF4FB48324F14801AE914A7310D778A955CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 016A6DD8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016A6E5F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.999335169.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 220d7c7c286c3a1fa06907a0d90ff52707d0953d572e36ae16686dc193e3f64e
                                                            • Instruction ID: de1dd0048c024a7bbcd6ca334389c0d9aaa6a05a595217a93b093b8c42d8ac84
                                                            • Opcode Fuzzy Hash: 220d7c7c286c3a1fa06907a0d90ff52707d0953d572e36ae16686dc193e3f64e
                                                            • Instruction Fuzzy Hash: 8421D5B5D00248AFDB10CFA9D884ADEBBF4FB48324F14841AE914A7350D774A944CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01246F08, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DrawCaptionTempA.USER32(00000000,00000000,?,?), ref: 01246F6B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.998513583.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                            Similarity
                                                            • API ID: CaptionDrawTemp
                                                            • String ID:
                                                            • API String ID: 3417575192-0
                                                            • Opcode ID: 4aa2c3df4a9e47a2bed3d90086ec0117a83ceddd355cbc9a1921e47b3d21893c
                                                            • Instruction ID: fb78a4e6ac55b67e67a003cceafaf79cc6b2ddc749cb4ec3efd18b701d597084
                                                            • Opcode Fuzzy Hash: 4aa2c3df4a9e47a2bed3d90086ec0117a83ceddd355cbc9a1921e47b3d21893c
                                                            • Instruction Fuzzy Hash: 891129316102069FCB18CF68C840B5FBFB6AF86354F498555E65A5B292D371F810C794
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 016A2F78, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 016A4276
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.999335169.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 6c70249c66606ff6a6ffccc92df3c7a3923fa9db869220f732382cfd73be2ff0
                                                            • Instruction ID: 725076cee6bd52a44ea4a7b547e000f071975fa6404887d8efddd1ccdd9a387f
                                                            • Opcode Fuzzy Hash: 6c70249c66606ff6a6ffccc92df3c7a3923fa9db869220f732382cfd73be2ff0
                                                            • Instruction Fuzzy Hash: 24216AB1C042898FDB10DFAAD844BDEBBF4AF49224F04846AC459A7700C779A546CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 016AC438, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEncodePointer.NTDLL(00000000), ref: 016AC4B2
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.999335169.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                            Similarity
                                                            • API ID: EncodePointer
                                                            • String ID:
                                                            • API String ID: 2118026453-0
                                                            • Opcode ID: 872d20c22d7ab6a73747d61e596f91fb531172d633d46fbda3e2d7991f704fd7
                                                            • Instruction ID: a63b7bda00ceb068d6a825fb142f3e0b62de09dcaf7029a0bdcbe8d698dc0d5d
                                                            • Opcode Fuzzy Hash: 872d20c22d7ab6a73747d61e596f91fb531172d633d46fbda3e2d7991f704fd7
                                                            • Instruction Fuzzy Hash: A111AC719013198FDF50CFA9C90879EBBF4EB49324F60882AD508A7741C7386844CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 016A420A, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 016A4276
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.999335169.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 9092ac3d9979dfa17a2d11a30e53eb66729309930d3afab1e26ee79c6cfcea72
                                                            • Instruction ID: 53db0637b97a7298f5f8d6a29bfc137ffdc4e7c6bd4058840c5f7c2c13e63689
                                                            • Opcode Fuzzy Hash: 9092ac3d9979dfa17a2d11a30e53eb66729309930d3afab1e26ee79c6cfcea72
                                                            • Instruction Fuzzy Hash: 6111F0B2C002498BDB10CFAAC844BDEFBF4AF89324F14852AD429A7600C778A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 016A2F8C, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 016A4276
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.999335169.00000000016A0000.00000040.00000001.sdmp, Offset: 016A0000, based on PE: false
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 94eb4272e0e397d160f99b3c4f3ac152fcf743470ab939cde9604c13adfe7a35
                                                            • Instruction ID: ea96acd4931ac91899c99376e7f7d32f41605af518881cf768bda41e2ad74584
                                                            • Opcode Fuzzy Hash: 94eb4272e0e397d160f99b3c4f3ac152fcf743470ab939cde9604c13adfe7a35
                                                            • Instruction Fuzzy Hash: 2911F3B1C042498BDB10CF9AD844BDEBBF4AB89214F54852AD429B7600C7B5A945CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0160D01C, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.999162114.000000000160D000.00000040.00000001.sdmp, Offset: 0160D000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fa9b124b03f34d34662ab0417b1b57732bfdf3c60fa57c5d18f4b57b68bab3e4
                                                            • Instruction ID: a5ccf55a94750e548f33341b13b85ecdece9cdd359ef354d57b6c10d89690450
                                                            • Opcode Fuzzy Hash: fa9b124b03f34d34662ab0417b1b57732bfdf3c60fa57c5d18f4b57b68bab3e4
                                                            • Instruction Fuzzy Hash: 6821D371604240EFDB1ACF94D8C4B27BB65EB88354F24C669D80E4B386C736D847CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0160D006, Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.999162114.000000000160D000.00000040.00000001.sdmp, Offset: 0160D000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 09f6f6b55809e29f48a72aea8cc2b3d19217bd67abad4d4ac86442e1bfddd633
                                                            • Instruction ID: 4ef747b72db58c6a254e3a3c9fcf73afbcc7552847a8e15504e1c0c8f09dd415
                                                            • Opcode Fuzzy Hash: 09f6f6b55809e29f48a72aea8cc2b3d19217bd67abad4d4ac86442e1bfddd633
                                                            • Instruction Fuzzy Hash: 2B2192755093C08FCB07CF64D994716BF71EB46214F28C6DAD8498F697C33A980ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions