Loading ...

Play interactive tourEdit tour

Analysis Report PO202100046.exe

Overview

General Information

Sample Name:PO202100046.exe
Analysis ID:356841
MD5:eafc433b4d4bf4a0edc9b57b6f4af8ec
SHA1:0ba21c1f4f908e589db07ce4003786e0e7bf62d9
SHA256:77ee17838c1ea6e3c69ec2989df485386800901ef0caac90e01fadbad225a354
Tags:exeSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Binary contains a suspicious time stamp
Machine Learning detection for sample
May check the online IP address of the machine
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • PO202100046.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\PO202100046.exe' MD5: EAFC433B4D4BF4A0EDC9B57B6F4AF8EC)
    • PO202100046.exe (PID: 6988 cmdline: C:\Users\user\Desktop\PO202100046.exe MD5: EAFC433B4D4BF4A0EDC9B57B6F4AF8EC)
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram Info": {"Telegram ID": "1556351268", "Telegram Token": "1591373451:AAH6Q2mvjdA9146Wl0khv2-kuh-iTps2zjw"}}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.325194217.0000000004A90000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
    00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
      00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
          00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO202100046.exe.35ae570.3.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              0.2.PO202100046.exe.4a90000.8.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                0.2.PO202100046.exe.351bd40.5.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                  0.2.PO202100046.exe.4a90000.8.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                    0.2.PO202100046.exe.36a37b8.4.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 9 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Info": {"Telegram ID": "1556351268", "Telegram Token": "1591373451:AAH6Q2mvjdA9146Wl0khv2-kuh-iTps2zjw"}}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PO202100046.exeVirustotal: Detection: 35%Perma Link
                      Source: PO202100046.exeReversingLabs: Detection: 31%
                      Machine Learning detection for sampleShow sources
                      Source: PO202100046.exeJoe Sandbox ML: detected
                      Source: 1.2.PO202100046.exe.400000.0.unpackAvira: Label: TR/Spy.Gen

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: PO202100046.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses insecure TLS / SSL version for HTTPS connectionShow sources
                      Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.6:49723 version: TLS 1.0
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: PO202100046.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: RunPE.pdb source: PO202100046.exe, 00000000.00000002.323840825.0000000002481000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: Joe Sandbox ViewIP Address: 131.186.113.70 131.186.113.70
                      Source: Joe Sandbox ViewIP Address: 172.67.188.154 172.67.188.154
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.6:49723 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                      Source: PO202100046.exe, 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmpString found in binary or memory: http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: PO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: PO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB
                      Source: PO202100046.exe, 00000001.00000002.590354272.0000000002E56000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org4
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgD8
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: PO202100046.exe, 00000001.00000002.589625854.0000000000FD2000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Om
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: PO202100046.exe, 00000001.00000002.589625854.0000000000FD2000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.c
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: PO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: PO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38x
                      Source: PO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app4
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmp, PO202100046.exe, 00000001.00000002.590473674.0000000002E94000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                      Source: PO202100046.exe, 00000000.00000002.323550847.00000000006AB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 0_2_008683700_2_00868370
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 0_2_00869AB80_2_00869AB8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 0_2_008665600_2_00866560
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 0_2_008665700_2_00866570
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 0_2_00869AA80_2_00869AA8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012F81301_2_012F8130
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012FB2301_2_012FB230
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012F05881_2_012F0588
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012F7B081_2_012F7B08
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012F10411_2_012F1041
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012F15581_2_012F1558
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_012F59601_2_012F5960
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06370EF81_2_06370EF8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063737F01_2_063737F0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06373FF01_2_06373FF0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063747F01_2_063747F0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06374FF01_2_06374FF0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637ABF81_2_0637ABF8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06371C501_2_06371C50
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063700401_2_06370040
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637F4D81_2_0637F4D8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637E9601_2_0637E960
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06370E981_2_06370E98
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063747931_2_06374793
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06373F911_2_06373F91
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06374F901_2_06374F90
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063737D31_2_063737D3
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063700061_2_06370006
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637A8721_2_0637A872
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637F47B1_2_0637F47B
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063779301_2_06377930
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063900401_2_06390040
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063940D81_2_063940D8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063908281_2_06390828
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063948C01_2_063948C0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063929701_2_06392970
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063917F81_2_063917F8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063910101_2_06391010
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063931581_2_06393158
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06391FE01_2_06391FE0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063939401_2_06393940
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063907C81_2_063907C8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063900071_2_06390007
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063941281_2_06394128
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06390FB11_2_06390FB1
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063948B01_2_063948B0
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063929111_2_06392911
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063917991_2_06391799
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_063930F81_2_063930F8
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06391F811_2_06391F81
                      Source: PO202100046.exeBinary or memory string: OriginalFilename vs PO202100046.exe
                      Source: PO202100046.exe, 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCaptIt.dll. vs PO202100046.exe
                      Source: PO202100046.exe, 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmpBinary or memory string: OriginalFilename6D0VQXBZ.exe4 vs PO202100046.exe
                      Source: PO202100046.exe, 00000000.00000002.323840825.0000000002481000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs PO202100046.exe
                      Source: PO202100046.exeBinary or memory string: OriginalFilename vs PO202100046.exe
                      Source: PO202100046.exe, 00000001.00000002.589473933.0000000000F4A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO202100046.exe
                      Source: PO202100046.exe, 00000001.00000002.588913424.0000000000CF6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO202100046.exe
                      Source: PO202100046.exe, 00000001.00000002.588473253.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilename6D0VQXBZ.exe4 vs PO202100046.exe
                      Source: PO202100046.exeBinary or memory string: OriginalFilenameScreenCapturer.exe> vs PO202100046.exe
                      Source: PO202100046.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: PO202100046.exe, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.0.PO202100046.exe.40000.0.unpack, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.PO202100046.exe.40000.0.unpack, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.PO202100046.exe.8b0000.0.unpack, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.PO202100046.exe.8b0000.1.unpack, CaptureRectangle.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal88.troj.spyw.evad.winEXE@3/1@3/2
                      Source: C:\Users\user\Desktop\PO202100046.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO202100046.exe.logJump to behavior
                      Source: PO202100046.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PO202100046.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: PO202100046.exeVirustotal: Detection: 35%
                      Source: PO202100046.exeReversingLabs: Detection: 31%
                      Source: unknownProcess created: C:\Users\user\Desktop\PO202100046.exe 'C:\Users\user\Desktop\PO202100046.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\PO202100046.exe C:\Users\user\Desktop\PO202100046.exe
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess created: C:\Users\user\Desktop\PO202100046.exe C:\Users\user\Desktop\PO202100046.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: PO202100046.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO202100046.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RunPE.pdb source: PO202100046.exe, 00000000.00000002.323840825.0000000002481000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Binary contains a suspicious time stampShow sources
                      Source: initial sampleStatic PE information: 0xA4622821 [Thu May 24 02:17:05 2057 UTC]
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000000.00000002.325194217.0000000004A90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.588473253.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6952, type: MEMORY
                      Source: Yara matchFile source: 0.2.PO202100046.exe.35ae570.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.4a90000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.351bd40.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.4a90000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.PO202100046.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.35ae570.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.351bd40.5.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637B601 push es; iretd 1_2_0637B604
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637A76D push es; retf 1_2_0637A870
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637A83B push es; retf 1_2_0637A870
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637BC05 push 8B000003h; iretd 1_2_0637BC0C
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_0637B507 push es; ret 1_2_0637B600
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.98391026128
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000000.00000002.325194217.0000000004A90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.588473253.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6952, type: MEMORY
                      Source: Yara matchFile source: 0.2.PO202100046.exe.35ae570.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.4a90000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.351bd40.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.4a90000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.PO202100046.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.35ae570.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.351bd40.5.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\PO202100046.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exe TID: 6980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: PO202100046.exe, 00000001.00000002.589625854.0000000000FD2000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeCode function: 1_2_06371C50 LdrInitializeThunk,KiUserExceptionDispatcher,1_2_06371C50
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeProcess created: C:\Users\user\Desktop\PO202100046.exe C:\Users\user\Desktop\PO202100046.exeJump to behavior
                      Source: PO202100046.exe, 00000001.00000002.589874015.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: PO202100046.exe, 00000001.00000002.589874015.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: PO202100046.exe, 00000001.00000002.589874015.00000000016B0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                      Source: PO202100046.exe, 00000001.00000002.589874015.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Users\user\Desktop\PO202100046.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Users\user\Desktop\PO202100046.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.588473253.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6952, type: MEMORY
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.PO202100046.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.35ae570.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.351bd40.5.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\PO202100046.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\PO202100046.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\PO202100046.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6988, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.588473253.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO202100046.exe PID: 6952, type: MEMORY
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.PO202100046.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.36a37b8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.35ae570.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO202100046.exe.351bd40.5.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Masquerading1OS Credential Dumping1Security Software Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2Input Capture1Virtualization/Sandbox Evasion2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSRemote System Discovery1Distributed Component Object ModelData from Local System1Scheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PO202100046.exe35%VirustotalBrowse
                      PO202100046.exe31%ReversingLabsByteCode-MSIL.Trojan.Wacatac
                      PO202100046.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      1.2.PO202100046.exe.400000.0.unpack100%AviraTR/Spy.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      freegeoip.app0%VirustotalBrowse
                      checkip.dyndns.com0%VirustotalBrowse
                      checkip.dyndns.org0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://checkip.dyndns.org40%URL Reputationsafe
                      http://checkip.dyndns.org40%URL Reputationsafe
                      http://checkip.dyndns.org40%URL Reputationsafe
                      http://checkip.dyndns.org40%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      http://checkip.dyndns.org/0%VirustotalBrowse
                      http://checkip.dyndns.org/0%Avira URL Cloudsafe
                      http://checkip.dyndns.org/HB0%Avira URL Cloudsafe
                      https://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      http://checkip.dyndns.org0%Avira URL Cloudsafe
                      https://freegeoip.app40%URL Reputationsafe
                      https://freegeoip.app40%URL Reputationsafe
                      https://freegeoip.app40%URL Reputationsafe
                      http://checkip.dyndns.com0%Avira URL Cloudsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      http://checkip.dyndns.orgD80%URL Reputationsafe
                      http://checkip.dyndns.orgD80%URL Reputationsafe
                      http://checkip.dyndns.orgD80%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      freegeoip.app
                      172.67.188.154
                      truefalseunknown
                      checkip.dyndns.com
                      131.186.113.70
                      truefalseunknown
                      checkip.dyndns.org
                      unknown
                      unknowntrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org4PO202100046.exe, 00000001.00000002.590354272.0000000002E56000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://freegeoip.app/xml/PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://checkip.dyndns.org/HBPO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://freegeoip.appPO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8PO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpfalse
                        high
                        https://freegeoip.app/xml/84.17.52.38PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://checkip.dyndns.orgPO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/PO202100046.exe, 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmpfalse
                          high
                          https://freegeoip.app4PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://checkip.dyndns.comPO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpfalse
                            high
                            https://freegeoip.app/xml/84.17.52.38xPO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            https://freegeoip.app/xml/LoadCountryNameClipboardPO202100046.exe, 00000001.00000002.590242317.0000000002DB1000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://freegeoip.appPO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://checkip.dyndns.orgD8PO202100046.exe, 00000001.00000002.590395262.0000000002E66000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            131.186.113.70
                            unknownUnited States
                            33517DYNDNSUSfalse
                            172.67.188.154
                            unknownUnited States
                            13335CLOUDFLARENETUSfalse

                            General Information

                            Joe Sandbox Version:31.0.0 Emerald
                            Analysis ID:356841
                            Start date:23.02.2021
                            Start time:17:40:32
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 7m 55s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:PO202100046.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:26
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal88.troj.spyw.evad.winEXE@3/1@3/2
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 0% (good quality ratio 0%)
                            • Quality average: 71%
                            • Quality standard deviation: 0%
                            HCA Information:
                            • Successful, ratio: 98%
                            • Number of executed functions: 53
                            • Number of non-executed functions: 2
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 52.255.188.83, 168.61.161.212, 23.211.6.115, 104.42.151.234, 51.11.168.160, 8.253.207.120, 8.248.97.254, 8.238.85.126, 8.241.80.126, 8.248.115.254, 51.103.5.186, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 184.30.24.56
                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            131.186.113.70P00760000.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            Order.docGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            purchase order.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            IMG_57109_Scanned.docGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            Purchase Order.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            dot crypted.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            v2.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            purchase order.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            9073782912,pdf.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            Halkbank_Ekstre_20210222_082357_541079.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            Order_C3350191107102300.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            Payment information 366531890544-2222021,pdf.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            RFQ file_pdf.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            cotizaci#U00f3n.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            NEW ORDER.19022021.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            orden de compra.exeGet hashmaliciousBrowse
                            • checkip.dyndns.org/
                            172.67.188.1543MndTUzGQn.exeGet hashmaliciousBrowse
                            • freegeoip.app/json

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            freegeoip.appSSGLPOJ6212202.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            P00760000.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            Order.docGet hashmaliciousBrowse
                            • 104.21.19.200
                            QUOTE.docGet hashmaliciousBrowse
                            • 104.21.19.200
                            Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            purchase order.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            9073782912,pdf.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            IMG_57109_Scanned.docGet hashmaliciousBrowse
                            • 104.21.19.200
                            Purchase Order.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            dot crypted.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            v2.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            purchase order.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            9073782912,pdf.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            checkip.dyndns.comSSGLPOJ6212202.exeGet hashmaliciousBrowse
                            • 216.146.43.70
                            ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                            • 216.146.43.70
                            P00760000.exeGet hashmaliciousBrowse
                            • 162.88.193.70
                            Order.docGet hashmaliciousBrowse
                            • 131.186.113.70
                            QUOTE.docGet hashmaliciousBrowse
                            • 216.146.43.70
                            Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                            • 162.88.193.70
                            purchase order.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            9073782912,pdf.exeGet hashmaliciousBrowse
                            • 216.146.43.70
                            IMG_57109_Scanned.docGet hashmaliciousBrowse
                            • 131.186.113.70
                            Purchase Order.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            dot crypted.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            v2.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                            • 216.146.43.71
                            Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                            • 162.88.193.70
                            FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                            • 162.88.193.70
                            PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                            • 131.186.161.70
                            purchase order.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            9073782912,pdf.exeGet hashmaliciousBrowse
                            • 131.186.113.70

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            DYNDNSUSSSGLPOJ6212202.exeGet hashmaliciousBrowse
                            • 216.146.43.71
                            ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                            • 216.146.43.70
                            P00760000.exeGet hashmaliciousBrowse
                            • 162.88.193.70
                            Order.docGet hashmaliciousBrowse
                            • 162.88.193.70
                            QUOTE.docGet hashmaliciousBrowse
                            • 216.146.43.70
                            Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                            • 162.88.193.70
                            purchase order.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            9073782912,pdf.exeGet hashmaliciousBrowse
                            • 216.146.43.70
                            IMG_57109_Scanned.docGet hashmaliciousBrowse
                            • 131.186.113.70
                            Purchase Order.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            dot crypted.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            v2.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                            • 216.146.43.71
                            Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                            • 162.88.193.70
                            FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                            • 162.88.193.70
                            PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                            • 131.186.161.70
                            purchase order.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            9073782912,pdf.exeGet hashmaliciousBrowse
                            • 131.186.113.70
                            CLOUDFLARENETUSSSGLPOJ6212202.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeGet hashmaliciousBrowse
                            • 172.67.199.58
                            SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                            • 104.23.98.190
                            1vuet1S3tI.exeGet hashmaliciousBrowse
                            • 172.67.199.58
                            P00760000.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            Order.docGet hashmaliciousBrowse
                            • 104.21.19.200
                            QUOTE.docGet hashmaliciousBrowse
                            • 104.21.19.200
                            Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            2070121_SN-WS.exeGet hashmaliciousBrowse
                            • 104.21.71.230
                            purchase order.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            9073782912,pdf.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            payment_advice.docGet hashmaliciousBrowse
                            • 172.67.172.17
                            IMG_57109_Scanned.docGet hashmaliciousBrowse
                            • 172.67.188.154
                            Purchase Order.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            dot crypted.exeGet hashmaliciousBrowse
                            • 104.21.19.200
                            New Order 2300030317388 InterMetro.exeGet hashmaliciousBrowse
                            • 172.67.172.17
                            CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                            • 172.67.172.17
                            Purchase Order list.exeGet hashmaliciousBrowse
                            • 104.21.23.61
                            RkoKlvuLh6.exeGet hashmaliciousBrowse
                            • 162.159.136.232

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            54328bd36c14bd82ddaa0c04b25ed9adSSGLPOJ6212202.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            P00760000.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            purchase order.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            9073782912,pdf.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            Purchase Order.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            dot crypted.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            v2.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            purchase order.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            9073782912,pdf.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                            • 172.67.188.154
                            purchase order 1.exeGet hashmaliciousBrowse
                            • 172.67.188.154

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO202100046.exe.log
                            Process:C:\Users\user\Desktop\PO202100046.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):706
                            Entropy (8bit):5.342604339328228
                            Encrypted:false
                            SSDEEP:12:Q3La/hhkvoDLI4MWuCq1KDLI4M9tDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKm:MLUE4Kx1qE4qpE4Ks2wKDE4KhK3VZ9px
                            MD5:34580C7C598E15B8A008C82FE6A07CDF
                            SHA1:2C90E9B7F4AFFE8FC7F9C313B4B867DF5B96CAC1
                            SHA-256:08246B9BE1C37F8977CE083319A9D34BE09C65B926CBA30A5E062D79D5A4F1D6
                            SHA-512:D836A862804608C3A127BF0CD30ECFB428E682D5E73D90C4C2837F93F02F12307F242F47F3CBBD71249AA6E608AFE230527F2F7D306A35A681346F9DDFE9D820
                            Malicious:true
                            Reputation:moderate, very likely benign file
                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.980014580995005
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:PO202100046.exe
                            File size:614912
                            MD5:eafc433b4d4bf4a0edc9b57b6f4af8ec
                            SHA1:0ba21c1f4f908e589db07ce4003786e0e7bf62d9
                            SHA256:77ee17838c1ea6e3c69ec2989df485386800901ef0caac90e01fadbad225a354
                            SHA512:ac519009f2d1b9199b3ca37186472a3f138622f063b8465b540d5657258565c4fbf407c9a0188395828ea3a63b48005022eaec7d481b823308e70481b549263c
                            SSDEEP:12288:ICbYQjoiur3J9MEQELc5LqbNcyWR4Yem7MX6zDk0OAZnref4:ICbYQjoBr3J9MEQwj63kutr
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!(b...............0..X...........v... ........@.. ....................................@................................

                            File Icon

                            Icon Hash:00828e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x4976de
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0xA4622821 [Thu May 24 02:17:05 2057 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:v4.0.30319
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x9768c0x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x5d6.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x9a0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x956e40x95800False0.627196449101data7.98391026128IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rsrc0x980000x5d60x600False0.418619791667data4.12696293065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x9a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_VERSION0x980a00x34cdata
                            RT_MANIFEST0x983ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Version Infos

                            DescriptionData
                            Translation0x0000 0x04b0
                            LegalCopyrightCopyright 2020
                            Assembly Version1.0.0.0
                            InternalNameScreenCapturer.exe
                            FileVersion1.0.0.0
                            CompanyName
                            LegalTrademarks
                            Comments
                            ProductNameScreenCapturer
                            ProductVersion1.0.0.0
                            FileDescriptionScreenCapturer
                            OriginalFilenameScreenCapturer.exe

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Feb 23, 2021 17:41:24.970299006 CET4971980192.168.2.6131.186.113.70
                            Feb 23, 2021 17:41:25.030709982 CET8049719131.186.113.70192.168.2.6
                            Feb 23, 2021 17:41:25.030822039 CET4971980192.168.2.6131.186.113.70
                            Feb 23, 2021 17:41:25.031599045 CET4971980192.168.2.6131.186.113.70
                            Feb 23, 2021 17:41:25.092823029 CET8049719131.186.113.70192.168.2.6
                            Feb 23, 2021 17:41:25.092909098 CET8049719131.186.113.70192.168.2.6
                            Feb 23, 2021 17:41:25.092941046 CET8049719131.186.113.70192.168.2.6
                            Feb 23, 2021 17:41:25.093041897 CET4971980192.168.2.6131.186.113.70
                            Feb 23, 2021 17:41:25.094394922 CET4971980192.168.2.6131.186.113.70
                            Feb 23, 2021 17:41:25.154534101 CET8049719131.186.113.70192.168.2.6
                            Feb 23, 2021 17:41:25.292853117 CET4972180192.168.2.6131.186.113.70
                            Feb 23, 2021 17:41:25.353338957 CET8049721131.186.113.70192.168.2.6
                            Feb 23, 2021 17:41:25.354296923 CET4972180192.168.2.6131.186.113.70
                            Feb 23, 2021 17:41:25.354636908 CET4972180192.168.2.6131.186.113.70
                            Feb 23, 2021 17:41:25.415910006 CET8049721131.186.113.70192.168.2.6
                            Feb 23, 2021 17:41:25.528614044 CET8049721131.186.113.70192.168.2.6
                            Feb 23, 2021 17:41:25.528637886 CET8049721131.186.113.70192.168.2.6
                            Feb 23, 2021 17:41:25.528831005 CET4972180192.168.2.6131.186.113.70
                            Feb 23, 2021 17:41:25.530239105 CET4972180192.168.2.6131.186.113.70
                            Feb 23, 2021 17:41:25.590226889 CET8049721131.186.113.70192.168.2.6
                            Feb 23, 2021 17:41:27.733335018 CET49723443192.168.2.6172.67.188.154
                            Feb 23, 2021 17:41:27.786279917 CET44349723172.67.188.154192.168.2.6
                            Feb 23, 2021 17:41:27.786389112 CET49723443192.168.2.6172.67.188.154
                            Feb 23, 2021 17:41:27.837779999 CET49723443192.168.2.6172.67.188.154
                            Feb 23, 2021 17:41:27.890674114 CET44349723172.67.188.154192.168.2.6
                            Feb 23, 2021 17:41:27.892535925 CET44349723172.67.188.154192.168.2.6
                            Feb 23, 2021 17:41:27.892575026 CET44349723172.67.188.154192.168.2.6
                            Feb 23, 2021 17:41:27.892646074 CET49723443192.168.2.6172.67.188.154
                            Feb 23, 2021 17:41:27.903217077 CET49723443192.168.2.6172.67.188.154
                            Feb 23, 2021 17:41:27.956089020 CET44349723172.67.188.154192.168.2.6
                            Feb 23, 2021 17:41:27.956238985 CET44349723172.67.188.154192.168.2.6
                            Feb 23, 2021 17:41:28.021785021 CET49723443192.168.2.6172.67.188.154
                            Feb 23, 2021 17:41:28.255269051 CET49723443192.168.2.6172.67.188.154
                            Feb 23, 2021 17:41:28.308166981 CET44349723172.67.188.154192.168.2.6
                            Feb 23, 2021 17:41:28.330156088 CET44349723172.67.188.154192.168.2.6
                            Feb 23, 2021 17:41:28.521811962 CET49723443192.168.2.6172.67.188.154
                            Feb 23, 2021 17:43:08.524080992 CET49723443192.168.2.6172.67.188.154
                            Feb 23, 2021 17:43:08.577346087 CET44349723172.67.188.154192.168.2.6
                            Feb 23, 2021 17:43:08.577440023 CET49723443192.168.2.6172.67.188.154

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Feb 23, 2021 17:41:10.712135077 CET53583778.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:11.151542902 CET5507453192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:11.200424910 CET53550748.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:11.905694962 CET5451353192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:11.962970972 CET53545138.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:12.877499104 CET6204453192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:12.926086903 CET53620448.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:13.674206018 CET6379153192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:13.725763083 CET53637918.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:14.230628967 CET6426753192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:14.288752079 CET53642678.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:14.494139910 CET4944853192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:14.545612097 CET53494488.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:15.749825954 CET6034253192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:15.801624060 CET53603428.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:16.602288961 CET6134653192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:16.652622938 CET53613468.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:17.893213034 CET5177453192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:17.943118095 CET53517748.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:19.276487112 CET5602353192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:19.325458050 CET53560238.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:20.375060081 CET5838453192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:20.426548958 CET53583848.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:21.704137087 CET6026153192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:21.755728960 CET53602618.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:22.933409929 CET5606153192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:22.982106924 CET53560618.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:23.868319035 CET5833653192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:23.920063019 CET53583368.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:24.719208956 CET5378153192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:24.767879009 CET53537818.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:24.831747055 CET5406453192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:24.881731987 CET53540648.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:25.045636892 CET5281153192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:25.096091986 CET53528118.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:26.221689939 CET5529953192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:26.273202896 CET53552998.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:27.673002005 CET6374553192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:27.730257988 CET53637458.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:28.039052010 CET5005553192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:28.090569973 CET53500558.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:29.032175064 CET6137453192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:29.114388943 CET53613748.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:30.155915976 CET5033953192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:30.207618952 CET53503398.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:31.094937086 CET6330753192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:31.143676043 CET53633078.8.8.8192.168.2.6
                            Feb 23, 2021 17:41:47.499226093 CET4969453192.168.2.68.8.8.8
                            Feb 23, 2021 17:41:47.642851114 CET53496948.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:06.983819008 CET5498253192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:07.032614946 CET53549828.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:07.442549944 CET5001053192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:07.492958069 CET53500108.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:07.678594112 CET6371853192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:07.736573935 CET53637188.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:08.597820044 CET6211653192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:08.656446934 CET53621168.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:09.287415981 CET6381653192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:09.348535061 CET53638168.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:09.798165083 CET5501453192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:09.849500895 CET53550148.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:10.096487999 CET6220853192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:10.163989067 CET53622088.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:10.489949942 CET5757453192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:10.549948931 CET53575748.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:11.117916107 CET5181853192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:11.180376053 CET53518188.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:11.790451050 CET5662853192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:11.866336107 CET53566288.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:12.751746893 CET6077853192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:12.800435066 CET53607788.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:13.731879950 CET5379953192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:13.789206982 CET53537998.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:14.282947063 CET5468353192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:14.342901945 CET53546838.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:14.473484993 CET5932953192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:14.531982899 CET53593298.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:47.109004974 CET6402153192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:47.157711983 CET53640218.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:47.523993015 CET5612953192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:47.596834898 CET53561298.8.8.8192.168.2.6
                            Feb 23, 2021 17:42:53.807024002 CET5817753192.168.2.68.8.8.8
                            Feb 23, 2021 17:42:53.868791103 CET53581778.8.8.8192.168.2.6
                            Feb 23, 2021 17:43:11.126857996 CET5070053192.168.2.68.8.8.8
                            Feb 23, 2021 17:43:11.177244902 CET53507008.8.8.8192.168.2.6

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Feb 23, 2021 17:41:24.719208956 CET192.168.2.68.8.8.80x262Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                            Feb 23, 2021 17:41:24.831747055 CET192.168.2.68.8.8.80x12dfStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                            Feb 23, 2021 17:41:27.673002005 CET192.168.2.68.8.8.80x9156Standard query (0)freegeoip.appA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Feb 23, 2021 17:41:24.767879009 CET8.8.8.8192.168.2.60x262No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                            Feb 23, 2021 17:41:24.767879009 CET8.8.8.8192.168.2.60x262No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                            Feb 23, 2021 17:41:24.767879009 CET8.8.8.8192.168.2.60x262No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                            Feb 23, 2021 17:41:24.767879009 CET8.8.8.8192.168.2.60x262No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                            Feb 23, 2021 17:41:24.767879009 CET8.8.8.8192.168.2.60x262No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                            Feb 23, 2021 17:41:24.767879009 CET8.8.8.8192.168.2.60x262No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                            Feb 23, 2021 17:41:24.881731987 CET8.8.8.8192.168.2.60x12dfNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                            Feb 23, 2021 17:41:24.881731987 CET8.8.8.8192.168.2.60x12dfNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                            Feb 23, 2021 17:41:24.881731987 CET8.8.8.8192.168.2.60x12dfNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                            Feb 23, 2021 17:41:24.881731987 CET8.8.8.8192.168.2.60x12dfNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                            Feb 23, 2021 17:41:24.881731987 CET8.8.8.8192.168.2.60x12dfNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                            Feb 23, 2021 17:41:24.881731987 CET8.8.8.8192.168.2.60x12dfNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                            Feb 23, 2021 17:41:27.730257988 CET8.8.8.8192.168.2.60x9156No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)
                            Feb 23, 2021 17:41:27.730257988 CET8.8.8.8192.168.2.60x9156No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)

                            HTTP Request Dependency Graph

                            • checkip.dyndns.org

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.649719131.186.113.7080C:\Users\user\Desktop\PO202100046.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 17:41:25.031599045 CET1156OUTGET / HTTP/1.1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                            Host: checkip.dyndns.org
                            Connection: Keep-Alive
                            Feb 23, 2021 17:41:25.092909098 CET1157INHTTP/1.1 200 OK
                            Content-Type: text/html
                            Server: DynDNS-CheckIP/1.0.1
                            Connection: close
                            Cache-Control: no-cache
                            Pragma: no-cache
                            Content-Length: 103
                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.38</body></html>


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            1192.168.2.649721131.186.113.7080C:\Users\user\Desktop\PO202100046.exe
                            TimestampkBytes transferredDirectionData
                            Feb 23, 2021 17:41:25.354636908 CET1158OUTGET / HTTP/1.1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                            Host: checkip.dyndns.org
                            Feb 23, 2021 17:41:25.528614044 CET1163INHTTP/1.1 200 OK
                            Content-Type: text/html
                            Server: DynDNS-CheckIP/1.0.1
                            Connection: close
                            Cache-Control: no-cache
                            Pragma: no-cache
                            Content-Length: 103
                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.38</body></html>


                            HTTPS Packets

                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                            Feb 23, 2021 17:41:27.892575026 CET172.67.188.154443192.168.2.649723CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                            Code Manipulations

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Start time:17:41:18
                            Start date:23/02/2021
                            Path:C:\Users\user\Desktop\PO202100046.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\PO202100046.exe'
                            Imagebase:0x40000
                            File size:614912 bytes
                            MD5 hash:EAFC433B4D4BF4A0EDC9B57B6F4AF8EC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.325194217.0000000004A90000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000003.319958198.0000000004C71000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.323967870.0000000003489000.00000004.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            General

                            Start time:17:41:19
                            Start date:23/02/2021
                            Path:C:\Users\user\Desktop\PO202100046.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\PO202100046.exe
                            Imagebase:0x8b0000
                            File size:614912 bytes
                            MD5 hash:EAFC433B4D4BF4A0EDC9B57B6F4AF8EC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000001.00000002.588473253.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.588473253.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            Disassembly

                            Code Analysis

                            Reset < >

                              Executed Functions

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 78edc58998ee4e2e9e7bf1fdb505de6585b924adfaa8555eb2b4db3683b68624
                              • Instruction ID: 39f76338fca1099d5c8b58496aa2d32ee41080c2ab6194e075dafeeab7b1a37c
                              • Opcode Fuzzy Hash: 78edc58998ee4e2e9e7bf1fdb505de6585b924adfaa8555eb2b4db3683b68624
                              • Instruction Fuzzy Hash: 9F81A230F041188BCB18EB74D86966E76B3BFC8708F16CA6DE506E7388DE399C119795
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b15a88de9f9085834c4b0a110f6009b9dcf07f3ffd492ce67c26a389ca698ff4
                              • Instruction ID: 47c77f1af21d6bcd9bc458a304240a059fb3e6888a5f14f7d052efeb89db454a
                              • Opcode Fuzzy Hash: b15a88de9f9085834c4b0a110f6009b9dcf07f3ffd492ce67c26a389ca698ff4
                              • Instruction Fuzzy Hash: 35614070A056448FE744FF7AD551A8D7BF3EB88304F15C929D204AB368DB7899068F51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1a09ec17332e762885d507ed55a1b5a102fb4857d508eebb30f340672e17037c
                              • Instruction ID: 33c412e591a1d250ad6fb9d9d6a7687d795c5877874bc0a26efd1a5f42e9c2ee
                              • Opcode Fuzzy Hash: 1a09ec17332e762885d507ed55a1b5a102fb4857d508eebb30f340672e17037c
                              • Instruction Fuzzy Hash: 5B611F70A146448FE784FF7AE550A9D7BF3EB88304F05C929D204AB368EB789906CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: d
                              • API String ID: 0-2564639436
                              • Opcode ID: 5baa6fe3f5554dbd5e56e0d0c7d2d4e9437f4eb953ca38b765dabca71a464c6c
                              • Instruction ID: 81747e8e8104b3dad9053d675f9a66b23c4032d122f6e7bd2d7759a4f458f22c
                              • Opcode Fuzzy Hash: 5baa6fe3f5554dbd5e56e0d0c7d2d4e9437f4eb953ca38b765dabca71a464c6c
                              • Instruction Fuzzy Hash: 02A19A706046058FDB11DF19C88096AF7B2FF85318B158A6AD96ACB752D730FC56CBE0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: U
                              • API String ID: 0-3372436214
                              • Opcode ID: 54b0d4158ba97daae59d72f950e87d819c6485fa4fb8b69d3f27eff0cd272311
                              • Instruction ID: c9b2f1f4ebaa08d5e41ad7cf0df236a04999849db890918f2569ab735d86f6ec
                              • Opcode Fuzzy Hash: 54b0d4158ba97daae59d72f950e87d819c6485fa4fb8b69d3f27eff0cd272311
                              • Instruction Fuzzy Hash: AE112A74904209DFCB40FFB8E845A9D7BF1FB08304B018EA9D514EB259EB741A06CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 906fe7198283a951dd29b8318474f67eeb88a9184512e337bad14e68924ed776
                              • Instruction ID: 72f534933930b0829b614eda6200d93c3a5ed6fd714dabb21105cb4e7ab4011c
                              • Opcode Fuzzy Hash: 906fe7198283a951dd29b8318474f67eeb88a9184512e337bad14e68924ed776
                              • Instruction Fuzzy Hash: 49029374A00219CFDB94EF64D848B9DBBB1FF48305F118AAAEA09A7354DB782D41CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8f69fbb71c09a210c4cec3b53d9415e177be403c23539d0a891e5bcb5b53d412
                              • Instruction ID: bed04507bf0b1efbb0f8095fa8541ab6fca78f8445152ce8e3ed63b3ea609a3c
                              • Opcode Fuzzy Hash: 8f69fbb71c09a210c4cec3b53d9415e177be403c23539d0a891e5bcb5b53d412
                              • Instruction Fuzzy Hash: 39819074E00218CFCB54DFA9D99499DBBF2BF89304F2181A9E919AB361DB31AD45CF10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 15c5d18b5fe3e99a487338068fb037391bb356ff95ec43bb8b93ded722636887
                              • Instruction ID: 7e96e7d6531c0dc79fd60c8372cc260e30ebca1ef3fd005d3b8653aa40f4125a
                              • Opcode Fuzzy Hash: 15c5d18b5fe3e99a487338068fb037391bb356ff95ec43bb8b93ded722636887
                              • Instruction Fuzzy Hash: A5818E74E002188FCB54DFA9D98499DBBF2BF89304F2181A9E919AB361DB30AD45CF10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e20477840643b6e09805e90a66d1a1fa00201d27895e5fc1cf7cf433efa84ff7
                              • Instruction ID: 34ff114f6a1cb2dd2174bba41bc20847c2256756b83c77672c06d6f2115d819f
                              • Opcode Fuzzy Hash: e20477840643b6e09805e90a66d1a1fa00201d27895e5fc1cf7cf433efa84ff7
                              • Instruction Fuzzy Hash: CF914778D00328CFCB59DFA4D488A9DBBB2FF49705F108469E80AAB356DB319955CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6daaaa85b4e891950ad95ccdebbd8b9547c2a3bdd0e2645ca98c5b0fb4f551fb
                              • Instruction ID: 75716e08d00f76f3c3ea796efc3659a55d65dbe6e0bc69f23dc95c935d9d7d16
                              • Opcode Fuzzy Hash: 6daaaa85b4e891950ad95ccdebbd8b9547c2a3bdd0e2645ca98c5b0fb4f551fb
                              • Instruction Fuzzy Hash: 30811578D00328DFCB59DFA4E488A9DBBB2FF49705F108469E80AAB355DB319951CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: acc260dd3df4a8d57af3d387e48ef7e9c105f624f648ba2f69e2e6dd8e7dad89
                              • Instruction ID: 1b0f51ed189e55dcdc5a92493ee7214281fb116db1b16665d61b5fcebf40bda1
                              • Opcode Fuzzy Hash: acc260dd3df4a8d57af3d387e48ef7e9c105f624f648ba2f69e2e6dd8e7dad89
                              • Instruction Fuzzy Hash: AC41E374E012099FCB44DFA9D985A9EBBF2FF89300F148069E515BB361DB30A906CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3ecb4721fe8f89d40b7b953481dc6969b63bc838de93f6fae6c7ebbfba48af4d
                              • Instruction ID: ca2c34818f5481b56b6d2a22157d1eb2b0bf37dede30c49ab4f9ef6443f4fac6
                              • Opcode Fuzzy Hash: 3ecb4721fe8f89d40b7b953481dc6969b63bc838de93f6fae6c7ebbfba48af4d
                              • Instruction Fuzzy Hash: 4141A274E002189FCB44DFA9D595AAEBBF2FF89300F108069E515BB360DB35A906CF55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1edfb79ebd092bddee1c0680885c159a6407b2b578fbfed20667c17c7437e6b2
                              • Instruction ID: 733b066529acb67353b4738a7ba1ee892d37f2b356d5bc817ea0b1d8a5e7dc36
                              • Opcode Fuzzy Hash: 1edfb79ebd092bddee1c0680885c159a6407b2b578fbfed20667c17c7437e6b2
                              • Instruction Fuzzy Hash: CB41B374E012089FCB44DFA9D5949DEBBF2FF89304F118169E405AB361DB35AA06CF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a4cbd3f6d0486a49ce53222fc68d1c14d86c0494773d90795ca2bdb0bdd38e17
                              • Instruction ID: 5237e24b332a3767a1ce8f852c1493264182125e3d8c45f29d9a76a542472026
                              • Opcode Fuzzy Hash: a4cbd3f6d0486a49ce53222fc68d1c14d86c0494773d90795ca2bdb0bdd38e17
                              • Instruction Fuzzy Hash: B941C174E012199FCB44DFA9D9849DEBBF2FF89300F10816AE405AB361DB34A906CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb432a308f5f86b51669b7906da7832ad32c403b0d0e78e5e6a296d8849c9c0c
                              • Instruction ID: 4e109be0b0d58bd165c7865ba1d730329e21d5858eb8801e28dac8efacdeffff
                              • Opcode Fuzzy Hash: eb432a308f5f86b51669b7906da7832ad32c403b0d0e78e5e6a296d8849c9c0c
                              • Instruction Fuzzy Hash: 17419D74E002189FCB44DFA9D5849AEBBF2FF89300F108169E905AB360DB35AD05CF64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9531a8ec997cba75eafe90a104f0f9bba712a3c29a860f5de34ab9d9cdec0297
                              • Instruction ID: 959bb2a74169b95a2cc1cbb322a6a234d11c7e3e7eb9eae14a733c2b32a5082e
                              • Opcode Fuzzy Hash: 9531a8ec997cba75eafe90a104f0f9bba712a3c29a860f5de34ab9d9cdec0297
                              • Instruction Fuzzy Hash: EC21AD7160464A8FDB04CF14C884A6AF7B2FF80318B1AC62AD965DB252D730FD55CBE5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d0bacf5572b45293329a8d2944d30117fd417529324f1afb1dcbb0fb0bf8875
                              • Instruction ID: a0e5c4ed8fbd1e12cc8389fe92e3b4cf978742f7dc6389cbddda2582b8fc0879
                              • Opcode Fuzzy Hash: 7d0bacf5572b45293329a8d2944d30117fd417529324f1afb1dcbb0fb0bf8875
                              • Instruction Fuzzy Hash: E4219C3060460A8FDB14CF19C8849AAFBB6FF80314B05C629D969DB251D730FD55CBE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 572b4c3500396f4be6c08d4f0d3e6f4359c89e1b9b2f3b89dfd2831b6d9f58eb
                              • Instruction ID: d0d8c5b9c1dddba10ed9e3b9397292c049762020fa1749a2f4ea4fbdbb0ae561
                              • Opcode Fuzzy Hash: 572b4c3500396f4be6c08d4f0d3e6f4359c89e1b9b2f3b89dfd2831b6d9f58eb
                              • Instruction Fuzzy Hash: 7B31F478E002088FCB04DFA9D4949EEBBB2FF88304F218569D505AB365DB359956CF61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d0d9d47b9c503da9ed2f71ae48eaa9bae3f56ee102093d9ed2552c81916f2d9c
                              • Instruction ID: eeb4573e95f54db38763bc80945026d6b2b7126ef52a9828192707765de7dbc9
                              • Opcode Fuzzy Hash: d0d9d47b9c503da9ed2f71ae48eaa9bae3f56ee102093d9ed2552c81916f2d9c
                              • Instruction Fuzzy Hash: FC212874D052099FCB04EFA9D444AEEBBF5FF49304F10846AE504A7261EB345A45CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bda5f87e8d39b918877d50b9c570b08743aac77ef2bc52ec85bd2adff49795b9
                              • Instruction ID: b1cc96798b43e16617703012e6f79e2080f64cff678d9bcef1cb11994ce0f95f
                              • Opcode Fuzzy Hash: bda5f87e8d39b918877d50b9c570b08743aac77ef2bc52ec85bd2adff49795b9
                              • Instruction Fuzzy Hash: 6D21E578D001099FCB44EFA9D544AEEBBF5FB48304F10856AE904B7260EB355A45CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0c5269aa22dbcf6e9d46f74a88eeb16ef991362c1238f3f8e65c0b7b222505ed
                              • Instruction ID: 1fa4398c92bd3fa714b0d6e0ceac82202d8486f44d79bc70d304e8f2b3830a7a
                              • Opcode Fuzzy Hash: 0c5269aa22dbcf6e9d46f74a88eeb16ef991362c1238f3f8e65c0b7b222505ed
                              • Instruction Fuzzy Hash: 9601DF246193918FD3116F34D8105A73BA2EF82704F0644AAE085CF2A7EA248D06CBE2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 305794ac8136a106930b20dfb54147ab13a79f984f56da7fcd8e4fe8308e558b
                              • Instruction ID: f50892878b978612c0cecc0e83e92b6a99323abcbef9298d937495b8ae2d0396
                              • Opcode Fuzzy Hash: 305794ac8136a106930b20dfb54147ab13a79f984f56da7fcd8e4fe8308e558b
                              • Instruction Fuzzy Hash: 19F0322404F7D05FC7036BB828B86E53FA4EE07218B4E19E3C8C48B4A3DA14595AE366
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c873c184e4476915671195233f7e220da0b59ea21c9ad0671b74e54c0086e30f
                              • Instruction ID: 364cbc56fac47a846010011445e13575cea837e718dc0f44f15fe008a84f6845
                              • Opcode Fuzzy Hash: c873c184e4476915671195233f7e220da0b59ea21c9ad0671b74e54c0086e30f
                              • Instruction Fuzzy Hash: C7012479E08118DFDB00DFA8D8509EDBBF0FF5A304B114196E109EB221E731AD06DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ea51355b8026b054e96b1f9f2605fb808cabdd086829d8da482d30a6c384e933
                              • Instruction ID: 187296c97dba533d300e124b368833f06d24ded04c7abdd8ae3b0a57c0a79902
                              • Opcode Fuzzy Hash: ea51355b8026b054e96b1f9f2605fb808cabdd086829d8da482d30a6c384e933
                              • Instruction Fuzzy Hash: 2101A930900629AFCB01AFA8D80169FBBF0FF49300F004569E249E7311E33496208BE6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 393da413b1d43b3b70732271064ae359bef9c9e271b2b78352e7a0832e1af5be
                              • Instruction ID: 1d5df8e6ad302faf7e0819e3b8ab63141dd4533b66ea9e5047ac6ba9f2e421fd
                              • Opcode Fuzzy Hash: 393da413b1d43b3b70732271064ae359bef9c9e271b2b78352e7a0832e1af5be
                              • Instruction Fuzzy Hash: 30014878D042089FCB00EFB9D445AAEBBF5FB48304F108AAAD844E7311EB309A41CF41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8b57a7bf664de41a9d8f863339cebc56d4703b81f4e4039ac9f8768187e20c04
                              • Instruction ID: c4f1c79f8b890e7ec34d7a3082ad78bfc08b2a68ce81926a7352cfe77ee1dd87
                              • Opcode Fuzzy Hash: 8b57a7bf664de41a9d8f863339cebc56d4703b81f4e4039ac9f8768187e20c04
                              • Instruction Fuzzy Hash: 2901D774900209DFCB80FFB8E444A9D7BF1FB48204B118E69E914EB258EB741A05CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f0f3e4dbc6505b1b43796e515507bf1a77bfb0d9389dc6431a43b5c30a29ec19
                              • Instruction ID: ad2bf9a377009fe0805057238816ebeff06327f522c32bf5c5fa193ad77e6451
                              • Opcode Fuzzy Hash: f0f3e4dbc6505b1b43796e515507bf1a77bfb0d9389dc6431a43b5c30a29ec19
                              • Instruction Fuzzy Hash: 78017C30A00209EFDB84FFA4E58869C7BF1EB41308F018EADD255AB261DF352A16DF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e06d8ab248e106066f25383d1ba5e53bf5ba721bb81e9a7841fc411e833c3de0
                              • Instruction ID: 28d24419b68a37e70ffca7720ec1e361488b4741d28ec8e1f392a1f161412ab3
                              • Opcode Fuzzy Hash: e06d8ab248e106066f25383d1ba5e53bf5ba721bb81e9a7841fc411e833c3de0
                              • Instruction Fuzzy Hash: 8801E870E00308EFCB84FFB8E58568DBBF5EB44208F0189A9D648E7215EB346A15DF55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5483aba7adf86533dc0282329f7be95e8a3f437c2d447d68157896891081168f
                              • Instruction ID: 63c00110b862ffdf3020d922e3a307d58cf33e23ec931d0db5a532b2f3edb33f
                              • Opcode Fuzzy Hash: 5483aba7adf86533dc0282329f7be95e8a3f437c2d447d68157896891081168f
                              • Instruction Fuzzy Hash: D4F09A30D006699FCB00EFADD80569EBBF4FF49310F00422AD109E7301E334A6218BE2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 744b9fabcba144ec9d418ca017ce846b77a28997873b794cc3a249394559f5b7
                              • Instruction ID: 67b5e6b7d9b8e8004ebe4c6648a1e25e20b184e3f54383b81acc94dec8513c8b
                              • Opcode Fuzzy Hash: 744b9fabcba144ec9d418ca017ce846b77a28997873b794cc3a249394559f5b7
                              • Instruction Fuzzy Hash: CAF01C75D02209DFDB80FFB8E94969CBBF0EB05309F2189AAD844E7215EB301E46DB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 65002506ac0042af3b7d85e035d91d211eac52092eeade755e6648cf1e0985e9
                              • Instruction ID: a399ff4acb26b06783e8cab055e80cc25de13b6968bb0b5173d5a82463cef7d6
                              • Opcode Fuzzy Hash: 65002506ac0042af3b7d85e035d91d211eac52092eeade755e6648cf1e0985e9
                              • Instruction Fuzzy Hash: F0E0E235C62309EFCB01BFB6A59CB7EBEB8EB0B316F006C95AA09D7101DB344910CA55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 60507a7cad28999d17979080a0f229e278d6d7a398b14fbdec6d05e2b815997f
                              • Instruction ID: 913d64032bdfe15313ac5bf922646a6f9d9f76d69e095519118e5a3689f017d0
                              • Opcode Fuzzy Hash: 60507a7cad28999d17979080a0f229e278d6d7a398b14fbdec6d05e2b815997f
                              • Instruction Fuzzy Hash: 55E0ED34901208EFCB80FFF8E548A9DBBF4EB48209F1049AAD904E7214EB305E55DF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2dc3808c749302a6f247c3568550ced2c2c599b490dae28b9739aa0bb795f606
                              • Instruction ID: b47b3b438aae0907ab4a4cc9aa05b48944c5d5820010120b19e78887ea1765fa
                              • Opcode Fuzzy Hash: 2dc3808c749302a6f247c3568550ced2c2c599b490dae28b9739aa0bb795f606
                              • Instruction Fuzzy Hash: DAE08670C052849FC7119FF494696FD7F34DB43304F0019E99C8857156EB310D16DB05
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d392707de49216f65c961c0867c52146502aaa3e5571f41776890ef3ddcc40e7
                              • Instruction ID: 983c63629c46543016fa573adcf66dcd327632b70f9007ef04371d1d8a41a4e1
                              • Opcode Fuzzy Hash: d392707de49216f65c961c0867c52146502aaa3e5571f41776890ef3ddcc40e7
                              • Instruction Fuzzy Hash: 05D0A730801208DBC704EFE4D508B7DBB7CDB43305F001958980853241EF315D10DA45
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e833f2baacffd7e738f01057514a97271b07c6e6d9bb8ed7d932a3bd39a32bca
                              • Instruction ID: 8065b5d0787bc3d756b796bea84963956c469e563a51d9a2603144697e96bd9e
                              • Opcode Fuzzy Hash: e833f2baacffd7e738f01057514a97271b07c6e6d9bb8ed7d932a3bd39a32bca
                              • Instruction Fuzzy Hash: A3C08C308917198FCA192FE4B40CB3A76ACF70330BF862D00E24C428128F30D860C908
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 27db0ee5dcc77f71bc6e542102605d6887b2633bc0d886b925daa206ec403555
                              • Instruction ID: 2debb87d417297c1726a9d4a9b5a5e5da8ee751c4488ec0c334f25c9c028e480
                              • Opcode Fuzzy Hash: 27db0ee5dcc77f71bc6e542102605d6887b2633bc0d886b925daa206ec403555
                              • Instruction Fuzzy Hash: 7FD012304082C2CFC7127F20E9544653BB0EE036883020AC6F04C5F537E7740D558B55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ce5d118cfb8f6fbf6f8398b6fa18cd1ec4caa980787ca9840faf1af394cdf6e2
                              • Instruction ID: dbe7a358ea21a24d3904d8fbfa2f09b98c6fadc3ec1e9eed17b171552bd9d972
                              • Opcode Fuzzy Hash: ce5d118cfb8f6fbf6f8398b6fa18cd1ec4caa980787ca9840faf1af394cdf6e2
                              • Instruction Fuzzy Hash: 92D0C96850D3818EC712DB7584605263FB16E4220874B85EE9080AF067EB3A884ACB66
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 89011419fab2147371be9415b2c1890df284d4aac5d052fadce7b2d06cec63ae
                              • Instruction ID: 4365ed0c59c9a097d5ee869597648eb20553b9ba508caae4d2aa8ab820373da0
                              • Opcode Fuzzy Hash: 89011419fab2147371be9415b2c1890df284d4aac5d052fadce7b2d06cec63ae
                              • Instruction Fuzzy Hash: DDC08C3840028042EE089724042C3ABB6D6BFC4204F28CBA8C9C04420383208009A641
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dddbcce2c72e9ff519b9bce73143e8a645b114122cacfb583f2644e4069380c4
                              • Instruction ID: b78dc8a4c120dd4ffe275e02dec6422f5ae50fbf0f52407c103076216161bed8
                              • Opcode Fuzzy Hash: dddbcce2c72e9ff519b9bce73143e8a645b114122cacfb583f2644e4069380c4
                              • Instruction Fuzzy Hash: 64B0123000434ECBC940BF50F549818336CE54014C3400E50E50D5E4199AA52C604BD8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f2b9f371a4377e59faa8f687db0035211d9e455fdfe63cd8363de90ee936c144
                              • Instruction ID: 2cfe4f0c4680cb5ae3387adb8ba72228dd2484444160a650f08559d3df3eb0a3
                              • Opcode Fuzzy Hash: f2b9f371a4377e59faa8f687db0035211d9e455fdfe63cd8363de90ee936c144
                              • Instruction Fuzzy Hash: 6C12DCF1C917668BE718DF65E4881A93B71B740328FD04A08E1E11FAD2D7B8996ECF44
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.323675012.0000000000860000.00000040.00000001.sdmp, Offset: 00860000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d1b095ed324e0d431cd143d7c141c7ed979e5d02b72d634e034441bf9023e93
                              • Instruction ID: 28d7b2011a12a1fafd62198bfc5cae3af60b9d8c5219fc1f4e85c3a865a06670
                              • Opcode Fuzzy Hash: 7d1b095ed324e0d431cd143d7c141c7ed979e5d02b72d634e034441bf9023e93
                              • Instruction Fuzzy Hash: 82C16FF1C517658BD718DF64E8881A93B71FB84328FD04B08E1A12BAD2D7B4986ECF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Executed Functions

                              APIs
                              • LdrInitializeThunk.NTDLL ref: 06371C6F
                              • KiUserExceptionDispatcher.NTDLL(00000000), ref: 0637215E
                              Memory Dump Source
                              • Source File: 00000001.00000002.593847487.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionInitializeThunkUser
                              • String ID:
                              • API String ID: 243558500-0
                              • Opcode ID: 209a515a59d6459dbcca4cbe8036924ece4c32afb0058add950c17727fffa00d
                              • Instruction ID: d15efcf5f8d9adb9bb5fdf735fe0be2189d7cfc62247006b6e8f1dd42b6e182c
                              • Opcode Fuzzy Hash: 209a515a59d6459dbcca4cbe8036924ece4c32afb0058add950c17727fffa00d
                              • Instruction Fuzzy Hash: A2F14E70E002089FDB24DFA4C984B9EBBF2BF88304F158569E515AB385DB75ED46CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000001.00000002.593847487.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 85df622e5315d233bf4eb7fcd4427fb4b1583068a567636f99056996409035de
                              • Instruction ID: 8b73d2f84253a9ecf285441b4e84f28f2e2cbd553adc3f4482a3ab3632a7e7e4
                              • Opcode Fuzzy Hash: 85df622e5315d233bf4eb7fcd4427fb4b1583068a567636f99056996409035de
                              • Instruction Fuzzy Hash: BA929F70F042488FCB68DBB4D8587AEBBB2AF89344F158469E405DB791DF78D846CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 0639BAB0
                              • GetCurrentThread.KERNEL32 ref: 0639BAED
                              • GetCurrentProcess.KERNEL32 ref: 0639BB2A
                              • GetCurrentThreadId.KERNEL32 ref: 0639BB83
                              Memory Dump Source
                              • Source File: 00000001.00000002.593901352.0000000006390000.00000040.00000001.sdmp, Offset: 06390000, based on PE: false
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: b51903ef58f044323a20a20e12921365be2bfae45fd28efcf48e5ef0ebd3eb78
                              • Instruction ID: 6acdd839b884a4c76bc9139927a53ccd437d34dc4448b948d47f338efd8c5131
                              • Opcode Fuzzy Hash: b51903ef58f044323a20a20e12921365be2bfae45fd28efcf48e5ef0ebd3eb78
                              • Instruction Fuzzy Hash: 905144B49003498FDB50CFAAD988BEEBBF5EF48314F248559E409A7390C7345844CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 0639BAB0
                              • GetCurrentThread.KERNEL32 ref: 0639BAED
                              • GetCurrentProcess.KERNEL32 ref: 0639BB2A
                              • GetCurrentThreadId.KERNEL32 ref: 0639BB83
                              Memory Dump Source
                              • Source File: 00000001.00000002.593901352.0000000006390000.00000040.00000001.sdmp, Offset: 06390000, based on PE: false
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: da43a7f8b96d277200f42bc7abb7539400bcac7cb460a824c17ef66ff373a530
                              • Instruction ID: 92949cb3795c878354b544482d63edefb23b9eb3ff7e25c65216a44362041409
                              • Opcode Fuzzy Hash: da43a7f8b96d277200f42bc7abb7539400bcac7cb460a824c17ef66ff373a530
                              • Instruction Fuzzy Hash: A35142B49007098FDB50DFAAD988BAEBBF5FF48318F208159E409A7390D7746844CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000001.00000002.589801020.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ede94a6087a31376a28bc896a3c17dffee514e57ddfbc12a4f42633e7734508c
                              • Instruction ID: 4e0aca3411ff1ba1ade538cb38f5062758d1f8f994203ff274b09f4e3783cb92
                              • Opcode Fuzzy Hash: ede94a6087a31376a28bc896a3c17dffee514e57ddfbc12a4f42633e7734508c
                              • Instruction Fuzzy Hash: D4D11235620205DFD718AB74F91EB5ABEB2AF85326F148939E206C72E1DFB09C41DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.593847487.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false
                              Similarity
                              • API ID: InitializeThunk
                              • String ID:
                              • API String ID: 2994545307-0
                              • Opcode ID: eb8d7671321358dd796b64ea1857b18ed63332e9790b5c913efe06477d95842e
                              • Instruction ID: 4520ce5fe235b8968326f56e6526b49a997b6a1c721c292c599e6737aeb10872
                              • Opcode Fuzzy Hash: eb8d7671321358dd796b64ea1857b18ed63332e9790b5c913efe06477d95842e
                              • Instruction Fuzzy Hash: 139180B1E006188FCBA8DBB8D9447ADB7F2AF89354F148569D416EB750EB38DC45CB80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 012FE00B
                              Memory Dump Source
                              • Source File: 00000001.00000002.589801020.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 25cbdae56711ed3b1a6b16e541907ae4321315027753301a09e78a50eb6ddc83
                              • Instruction ID: 3f7b1fc39b49d74eb3b77c4f49a85b780a50bd293b4df0024fb9e17a8f22f4ba
                              • Opcode Fuzzy Hash: 25cbdae56711ed3b1a6b16e541907ae4321315027753301a09e78a50eb6ddc83
                              • Instruction Fuzzy Hash: 6A31D739172105EBDB04BB70FE0F15E3E21BF56722B21863AF506C00E49FA068868F90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • KiUserExceptionDispatcher.NTDLL ref: 012FE00B
                              Memory Dump Source
                              • Source File: 00000001.00000002.589801020.00000000012F0000.00000040.00000001.sdmp, Offset: 012F0000, based on PE: false
                              Similarity
                              • API ID: DispatcherExceptionUser
                              • String ID:
                              • API String ID: 6842923-0
                              • Opcode ID: 13455df73eb8cece71a0ae98f6afaf3e78c2706e74c6e86aabb321697ea2cb1e
                              • Instruction ID: c0105ffb35c9f56ffd9487fe2e69257f1e1593f08a76bd89bd321ef718a1db42
                              • Opcode Fuzzy Hash: 13455df73eb8cece71a0ae98f6afaf3e78c2706e74c6e86aabb321697ea2cb1e
                              • Instruction Fuzzy Hash: 6431C839172105EBDB04BB70FE0F15E7E21FF56722B21963AF606800E49FB069869F91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0639C107
                              Memory Dump Source
                              • Source File: 00000001.00000002.593901352.0000000006390000.00000040.00000001.sdmp, Offset: 06390000, based on PE: false
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: dea88e6f46cda7e94d2759ba3aca59badef7d0fb086ce89879a2cf21af7158f5
                              • Instruction ID: fa9da6906780ed7943f33f5ffe4d4713d9f401cc8457a2d4838dcac146eacda9
                              • Opcode Fuzzy Hash: dea88e6f46cda7e94d2759ba3aca59badef7d0fb086ce89879a2cf21af7158f5
                              • Instruction Fuzzy Hash: E221E5B5D01208AFDF10CFAAD885ADEBBF8EB48360F14801AE914A7310D374A954CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0639C107
                              Memory Dump Source
                              • Source File: 00000001.00000002.593901352.0000000006390000.00000040.00000001.sdmp, Offset: 06390000, based on PE: false
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 7834d547789e482d92b38501a69a8f0cf1de4cdd8c9df1fe6ff3621d549f6daf
                              • Instruction ID: a4c94e14dd422dba6d5aad7d86b7a56e8914bbfc8cbfc50a0842afc97cb80483
                              • Opcode Fuzzy Hash: 7834d547789e482d92b38501a69a8f0cf1de4cdd8c9df1fe6ff3621d549f6daf
                              • Instruction Fuzzy Hash: B921D3B5D002489FDF10DFAAD884ADEBBF8FB48364F14841AE914A7350D378A954CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000001.00000002.589278192.0000000000F0D000.00000040.00000001.sdmp, Offset: 00F0D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6af96bc4a3cc936980385b269f132fb206473b24eeed2bc4daf9e47075059b52
                              • Instruction ID: 9eceb97cfdab23abaab0273e0403fd6e1a8ee6bd58b1cf27452d261353c647dc
                              • Opcode Fuzzy Hash: 6af96bc4a3cc936980385b269f132fb206473b24eeed2bc4daf9e47075059b52
                              • Instruction Fuzzy Hash: AB21F4B2904200DFDB14DF54DCC0B36BF65FB88328F288569ED054B286C336D856FAA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000001.00000002.589307645.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 871c68726b48c07dc3e25eae6524d9961cbb5619d5af29adc5773f932df291a2
                              • Instruction ID: c7a2983edd63fa7a63aadcd571b8ead998eaaa34f67fe9a85a237559a608104d
                              • Opcode Fuzzy Hash: 871c68726b48c07dc3e25eae6524d9961cbb5619d5af29adc5773f932df291a2
                              • Instruction Fuzzy Hash: 4421F5B5908244DFDB14DF14D9C0B66BB75FB88324F24C5A9E9094B24AC336D887EA62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000001.00000002.589307645.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9404afb07159a1b1b492f702e4432064e379ea71bd93325d24ead635e4ce8955
                              • Instruction ID: d703d946ac724802493b87b136ff442aa8abad9bd0588cd595f29beb29a4c27f
                              • Opcode Fuzzy Hash: 9404afb07159a1b1b492f702e4432064e379ea71bd93325d24ead635e4ce8955
                              • Instruction Fuzzy Hash: 9B214B7150D7C09FDB038B24D990B11BF71AB46224F2985DBD8848F2A7C27A984ADB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000001.00000002.589278192.0000000000F0D000.00000040.00000001.sdmp, Offset: 00F0D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: db75533cb9b6fa6099b867bfc3a53cb548d3d4cf5ca75b8a66c096981064a356
                              • Instruction ID: 8adbdd4d469489fc310d4735e9cadb6eb345b4009bab7673a187f8739832e531
                              • Opcode Fuzzy Hash: db75533cb9b6fa6099b867bfc3a53cb548d3d4cf5ca75b8a66c096981064a356
                              • Instruction Fuzzy Hash: EA11AF76804280CFCB15DF54D9C4B26BF61FB84324F28C6A9DC050B656C336D85AEBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions