Loading ...

Play interactive tourEdit tour

Analysis Report Import shipment.exe

Overview

General Information

Sample Name:Import shipment.exe
Analysis ID:385333
MD5:c70decc03a9214f65a58ae036149fb17
SHA1:2acb36495475fb87f39379d1dabbbaca0fba7a1a
SHA256:af1d434f702045685e163c36d8d24098389e7675eed56ae34a90532764df2d3b
Tags:AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Import shipment.exe (PID: 6784 cmdline: 'C:\Users\user\Desktop\Import shipment.exe' MD5: C70DECC03A9214F65A58AE036149FB17)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "working@omnlltd.comF]0fJ[fn)WB@server126.web-hosting.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.594372140.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.338108074.0000000003F89000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: Import shipment.exe PID: 6784JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: Import shipment.exe PID: 6944JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Import shipment.exe.41adf08.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.Import shipment.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.Import shipment.exe.41adf08.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 1.2.Import shipment.exe.41adf08.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "working@omnlltd.comF]0fJ[fn)WB@server126.web-hosting.com"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Import shipment.exeReversingLabs: Detection: 22%
                  Machine Learning detection for sampleShow sources
                  Source: Import shipment.exeJoe Sandbox ML: detected
                  Source: 4.2.Import shipment.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: Import shipment.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: Import shipment.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: global trafficTCP traffic: 192.168.2.6:49753 -> 198.54.126.165:587
                  Source: Joe Sandbox ViewIP Address: 198.54.126.165 198.54.126.165
                  Source: global trafficTCP traffic: 192.168.2.6:49753 -> 198.54.126.165:587
                  Source: unknownDNS traffic detected: queries for: server126.web-hosting.com
                  Source: Import shipment.exe, 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: Import shipment.exe, 00000004.00000002.597628700.00000000030A9000.00000004.00000001.sdmp, Import shipment.exe, 00000004.00000002.597917956.0000000003132000.00000004.00000001.sdmpString found in binary or memory: http://6LRWb2WTxgUtmmS44W.org
                  Source: Import shipment.exe, 00000004.00000002.597628700.00000000030A9000.00000004.00000001.sdmpString found in binary or memory: http://6LRWb2WTxgUtmmS44W.org/
                  Source: Import shipment.exe, 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: Import shipment.exe, 00000004.00000002.597989848.0000000003145000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: Import shipment.exe, 00000004.00000002.602307313.0000000006DC0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: Import shipment.exe, 00000004.00000002.597989848.0000000003145000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                  Source: Import shipment.exe, 00000004.00000002.597989848.0000000003145000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: Import shipment.exe, 00000004.00000002.597989848.0000000003145000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0-
                  Source: Import shipment.exe, 00000004.00000002.602307313.0000000006DC0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.us_
                  Source: Import shipment.exe, 00000004.00000002.597989848.0000000003145000.00000004.00000001.sdmpString found in binary or memory: http://server126.web-hosting.com
                  Source: Import shipment.exe, 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: http://ycagAe.com
                  Source: Import shipment.exe, 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: Import shipment.exe, 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: Import shipment.exe, 00000004.00000002.597989848.0000000003145000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: Import shipment.exe, 00000004.00000002.594372140.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: Import shipment.exe, 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Contains functionality to register a low level keyboard hookShow sources
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_0117085C SetWindowsHookExW 0000000D,00000000,?,?4_2_0117085C
                  Installs a global keyboard hookShow sources
                  Source: C:\Users\user\Desktop\Import shipment.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Import shipment.exeJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 4.2.Import shipment.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bEAEDC3A4u002dF201u002d4F5Cu002d8522u002dA36D33209B13u007d/u0031DA37684u002d131Bu002d4897u002d86F6u002d3BD984CAA835.csLarge array initialization: .cctor: array initializer size 12023
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 1_2_00C2929D1_2_00C2929D
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 1_2_0162C1641_2_0162C164
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 1_2_0162E5A01_2_0162E5A0
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 1_2_0162E5B01_2_0162E5B0
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 1_2_00C29BE61_2_00C29BE6
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_00A4929D4_2_00A4929D
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_010E20E84_2_010E20E8
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_010F68D04_2_010F68D0
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_010F5B704_2_010F5B70
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_0117A4004_2_0117A400
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_0117DA584_2_0117DA58
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_011713584_2_01171358
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_0117AF004_2_0117AF00
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_011A7D884_2_011A7D88
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_011A95E84_2_011A95E8
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_011A08424_2_011A0842
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_011A9CF84_2_011A9CF8
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_011A4B904_2_011A4B90
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_011AAEA04_2_011AAEA0
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_011A55F04_2_011A55F0
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_011A54F24_2_011A54F2
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_011AF0E04_2_011AF0E0
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_011ACFC04_2_011ACFC0
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_00A49BE64_2_00A49BE6
                  Source: Import shipment.exe, 00000001.00000002.343031540.0000000006151000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Import shipment.exe
                  Source: Import shipment.exe, 00000001.00000002.343031540.0000000006151000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQyFaLfbUzQfTIkIbuCUUMRJDQpUQZYaMcbZv.exe4 vs Import shipment.exe
                  Source: Import shipment.exe, 00000001.00000000.324852007.0000000000CC4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamer/ vs Import shipment.exe
                  Source: Import shipment.exe, 00000001.00000002.337995716.0000000002F61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMetroFramework.dll> vs Import shipment.exe
                  Source: Import shipment.exe, 00000004.00000002.594801494.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Import shipment.exe
                  Source: Import shipment.exe, 00000004.00000002.596263207.0000000001370000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Import shipment.exe
                  Source: Import shipment.exe, 00000004.00000002.594702941.0000000000AE4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamer/ vs Import shipment.exe
                  Source: Import shipment.exe, 00000004.00000002.596040784.00000000011FA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Import shipment.exe
                  Source: Import shipment.exe, 00000004.00000002.601626006.0000000005F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Import shipment.exe
                  Source: Import shipment.exe, 00000004.00000002.594372140.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameQyFaLfbUzQfTIkIbuCUUMRJDQpUQZYaMcbZv.exe4 vs Import shipment.exe
                  Source: Import shipment.exeBinary or memory string: OriginalFilenamer/ vs Import shipment.exe
                  Source: Import shipment.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: Import shipment.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 4.2.Import shipment.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 4.2.Import shipment.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
                  Source: C:\Users\user\Desktop\Import shipment.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Import shipment.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeMutant created: \Sessions\1\BaseNamedObjects\oFVnotNmACUfm
                  Source: Import shipment.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Import shipment.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Import shipment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\Import shipment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\Import shipment.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: Import shipment.exeReversingLabs: Detection: 22%
                  Source: unknownProcess created: C:\Users\user\Desktop\Import shipment.exe 'C:\Users\user\Desktop\Import shipment.exe'
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess created: C:\Users\user\Desktop\Import shipment.exe {path}
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess created: C:\Users\user\Desktop\Import shipment.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Import shipment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Import shipment.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Import shipment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Import shipment.exeStatic PE information: 0xCCA75117 [Thu Oct 20 18:48:55 2078 UTC]
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 1_2_00C2B297 push cs; iretd 1_2_00C2B29A
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 1_2_00C2B021 push cs; iretd 1_2_00C2B024
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 1_2_00C2B02F push cs; iretd 1_2_00C2B032
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_3_012D7D01 push edx; retf 4_3_012D7D09
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_00A4B021 push cs; iretd 4_2_00A4B024
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_00A4B02F push cs; iretd 4_2_00A4B032
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_00A4B297 push cs; iretd 4_2_00A4B29A
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_010FB5B7 push edi; retn 0000h4_2_010FB5B9
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_010FD420 push ecx; retf 4_2_010FD421
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.88279722869
                  Source: C:\Users\user\Desktop\Import shipment.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: Process Memory Space: Import shipment.exe PID: 6784, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\Import shipment.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\Import shipment.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: Import shipment.exe, 00000001.00000002.343721953.0000000006588000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: Import shipment.exe, 00000001.00000002.343031540.0000000006151000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\Import shipment.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeWindow / User API: threadDelayed 9562Jump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exe TID: 6788Thread sleep time: -31500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exe TID: 6088Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exe TID: 6268Thread sleep count: 9562 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exe TID: 6088Thread sleep count: 46 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exe TID: 6268Thread sleep count: 250 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Import shipment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\Import shipment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\Import shipment.exeThread delayed: delay time: 31500Jump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: Import shipment.exe, 00000001.00000002.343721953.0000000006588000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                  Source: Import shipment.exe, 00000004.00000002.601626006.0000000005F80000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: Import shipment.exe, 00000001.00000002.343721953.0000000006588000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: Import shipment.exe, 00000001.00000002.343721953.0000000006588000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Import shipment.exe, 00000001.00000002.343721953.0000000006588000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: Import shipment.exe, 00000001.00000002.343721953.0000000006588000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: Import shipment.exe, 00000001.00000002.343721953.0000000006588000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Import shipment.exe, 00000004.00000002.601626006.0000000005F80000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: Import shipment.exe, 00000004.00000003.569143950.00000000012A9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
                  Source: Import shipment.exe, 00000004.00000002.601626006.0000000005F80000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: Import shipment.exe, 00000001.00000002.343721953.0000000006588000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: Import shipment.exe, 00000001.00000002.343721953.0000000006588000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: Import shipment.exe, 00000001.00000002.343721953.0000000006588000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: Import shipment.exe, 00000004.00000002.601626006.0000000005F80000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeCode function: 4_2_010F0A70 LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,4_2_010F0A70
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeProcess created: C:\Users\user\Desktop\Import shipment.exe {path}Jump to behavior
                  Source: Import shipment.exe, 00000004.00000002.596350856.0000000001780000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: Import shipment.exe, 00000004.00000002.596350856.0000000001780000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: Import shipment.exe, 00000004.00000002.596350856.0000000001780000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                  Source: Import shipment.exe, 00000004.00000002.596350856.0000000001780000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Users\user\Desktop\Import shipment.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Users\user\Desktop\Import shipment.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000004.00000002.594372140.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.338108074.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Import shipment.exe PID: 6944, type: MEMORY
                  Source: Yara matchFile source: 1.2.Import shipment.exe.41adf08.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.Import shipment.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Import shipment.exe.41adf08.2.raw.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\Import shipment.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\Import shipment.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\Import shipment.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\Import shipment.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\Desktop\Import shipment.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Import shipment.exe PID: 6944, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000004.00000002.594372140.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.338108074.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Import shipment.exe PID: 6944, type: MEMORY
                  Source: Yara matchFile source: 1.2.Import shipment.exe.41adf08.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.Import shipment.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Import shipment.exe.41adf08.2.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Disable or Modify Tools1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1Input Capture21Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Credentials in Registry1Security Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSProcess Discovery2Distributed Component Object ModelInput Capture21Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsVirtualization/Sandbox Evasion131SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Import shipment.exe23%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  Import shipment.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  4.2.Import shipment.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  http://ocsp.sectigo.com0-0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://6LRWb2WTxgUtmmS44W.org/0%Avira URL Cloudsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  http://ycagAe.com0%Avira URL Cloudsafe
                  http://ocsp.us_0%Avira URL Cloudsafe
                  http://6LRWb2WTxgUtmmS44W.org0%Avira URL Cloudsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  server126.web-hosting.com
                  198.54.126.165
                  truefalse
                    high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#Import shipment.exe, 00000004.00000002.597989848.0000000003145000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://127.0.0.1:HTTP/1.1Import shipment.exe, 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    http://DynDns.comDynDNSImport shipment.exe, 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://sectigo.com/CPS0Import shipment.exe, 00000004.00000002.597989848.0000000003145000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://ocsp.sectigo.com0-Import shipment.exe, 00000004.00000002.597989848.0000000003145000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haImport shipment.exe, 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://6LRWb2WTxgUtmmS44W.org/Import shipment.exe, 00000004.00000002.597628700.00000000030A9000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://api.ipify.org%GETMozilla/5.0Import shipment.exe, 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    low
                    http://ycagAe.comImport shipment.exe, 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://server126.web-hosting.comImport shipment.exe, 00000004.00000002.597989848.0000000003145000.00000004.00000001.sdmpfalse
                      high
                      http://ocsp.us_Import shipment.exe, 00000004.00000002.602307313.0000000006DC0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://6LRWb2WTxgUtmmS44W.orgImport shipment.exe, 00000004.00000002.597628700.00000000030A9000.00000004.00000001.sdmp, Import shipment.exe, 00000004.00000002.597917956.0000000003132000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://api.ipify.org%Import shipment.exe, 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      low
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipImport shipment.exe, 00000004.00000002.594372140.0000000000402000.00000040.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      198.54.126.165
                      server126.web-hosting.comUnited States
                      22612NAMECHEAP-NETUSfalse

                      General Information

                      Joe Sandbox Version:31.0.0 Emerald
                      Analysis ID:385333
                      Start date:12.04.2021
                      Start time:10:47:14
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 8m 1s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:Import shipment.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:26
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@3/2@2/1
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 0.1% (good quality ratio 0.1%)
                      • Quality average: 66.9%
                      • Quality standard deviation: 34.8%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 73
                      • Number of non-executed functions: 3
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 92.122.145.220, 104.42.151.234, 52.147.198.201, 168.61.161.212, 93.184.221.240, 104.43.193.48, 20.50.102.62, 92.122.213.247, 92.122.213.194, 104.43.139.144, 52.155.217.156, 20.54.26.129, 205.185.216.10, 205.185.216.42, 52.255.188.83, 20.82.210.154, 184.30.24.56
                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, cs11.wpc.v0cdn.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/385333/sample/Import shipment.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      10:48:04API Interceptor752x Sleep call for process: Import shipment.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      198.54.126.165PENDING ORDER.exeGet hashmaliciousBrowse
                        Import shipment.exeGet hashmaliciousBrowse
                          PU Request Form Hardware.exeGet hashmaliciousBrowse
                            URGENT INQUIRY.exeGet hashmaliciousBrowse
                              LIHUA Technology (HK) order form.exeGet hashmaliciousBrowse
                                Agency Appointment.exeGet hashmaliciousBrowse
                                  mv Sider Capri.exeGet hashmaliciousBrowse
                                    PURCHASE ORDER.exeGet hashmaliciousBrowse
                                      URGENT INQUIRY.exeGet hashmaliciousBrowse
                                        OnrdwvylabTVyTJPNeSsgJOsnERjD.exeGet hashmaliciousBrowse
                                          SHIPMENT DETAILS.exeGet hashmaliciousBrowse
                                            ATTACHED EXCEL SHEET ORDER.exeGet hashmaliciousBrowse
                                              PI-007-DT-24-20.exeGet hashmaliciousBrowse
                                                DHL Details.exeGet hashmaliciousBrowse
                                                  DHL Details.exeGet hashmaliciousBrowse
                                                    DHL Details.exeGet hashmaliciousBrowse
                                                      wC3Ns2vWCy.exeGet hashmaliciousBrowse
                                                        datasheet.exeGet hashmaliciousBrowse
                                                          DATA REQUIRMENT SHEET.exeGet hashmaliciousBrowse
                                                            PO1276579.pdf.exeGet hashmaliciousBrowse

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              server126.web-hosting.comPENDING ORDER.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              Import shipment.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              shipment details.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              PU Request Form Hardware.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              URGENT INQUIRY.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              LIHUA Technology (HK) order form.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              Agency Appointment.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              mv Sider Capri.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              URGENT INQUIRY.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              OnrdwvylabTVyTJPNeSsgJOsnERjD.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              SHIPMENT DETAILS.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              ATTACHED EXCEL SHEET ORDER.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              PI-007-DT-24-20.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              DHL Details.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              DHL Details.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              DHL Details.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              wC3Ns2vWCy.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              datasheet.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165
                                                              DATA REQUIRMENT SHEET.exeGet hashmaliciousBrowse
                                                              • 198.54.126.165

                                                              ASN

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              NAMECHEAP-NETUS01_Enquiry Form.docGet hashmaliciousBrowse
                                                              • 198.54.122.60
                                                              g2qwgG2xbe.exeGet hashmaliciousBrowse
                                                              • 198.54.126.105
                                                              8Pd6TOKQOf.exeGet hashmaliciousBrowse
                                                              • 199.193.7.228
                                                              Quotation2001100200.PDF.exeGet hashmaliciousBrowse
                                                              • 198.54.122.60
                                                              remittance info.xlsxGet hashmaliciousBrowse
                                                              • 198.54.117.215
                                                              SOA.exeGet hashmaliciousBrowse
                                                              • 162.0.229.227
                                                              Swift002.exeGet hashmaliciousBrowse
                                                              • 198.54.117.211
                                                              winlog.exeGet hashmaliciousBrowse
                                                              • 198.54.117.217
                                                              2021-Quotation.xlsxGet hashmaliciousBrowse
                                                              • 199.193.7.228
                                                              36ne6xnkop.exeGet hashmaliciousBrowse
                                                              • 198.54.126.105
                                                              1ucvVfbHnD.exeGet hashmaliciousBrowse
                                                              • 198.54.126.105
                                                              Dridex.xlsGet hashmaliciousBrowse
                                                              • 198.54.114.131
                                                              Remittance Advice (1).xlsGet hashmaliciousBrowse
                                                              • 198.54.114.220
                                                              Remittance Advice (1).xlsGet hashmaliciousBrowse
                                                              • 198.54.114.220
                                                              Remittance Advice (1).xlsGet hashmaliciousBrowse
                                                              • 198.54.114.220
                                                              giATspz5dw.exeGet hashmaliciousBrowse
                                                              • 104.219.248.15
                                                              Tepic.exeGet hashmaliciousBrowse
                                                              • 198.54.122.60
                                                              3.exeGet hashmaliciousBrowse
                                                              • 198.54.122.60
                                                              SecuriteInfo.com.Exploit.Siggen3.16583.277.xlsGet hashmaliciousBrowse
                                                              • 199.188.200.93
                                                              Customer-100912288113.xlsxGet hashmaliciousBrowse
                                                              • 198.54.126.105

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Import shipment.exe.log
                                                              Process:C:\Users\user\Desktop\Import shipment.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.355304211458859
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                              C:\Users\user\AppData\Roaming\vj3nnghl.ba2\Chrome\Default\Cookies
                                                              Process:C:\Users\user\Desktop\Import shipment.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                              Category:dropped
                                                              Size (bytes):20480
                                                              Entropy (8bit):0.6951152985249047
                                                              Encrypted:false
                                                              SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
                                                              MD5:EA7F9615D77815B5FFF7C15179C6C560
                                                              SHA1:3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
                                                              SHA-256:A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
                                                              SHA-512:9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
                                                              Malicious:false
                                                              Reputation:moderate, very likely benign file
                                                              Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.875779706970726
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:Import shipment.exe
                                                              File size:662528
                                                              MD5:c70decc03a9214f65a58ae036149fb17
                                                              SHA1:2acb36495475fb87f39379d1dabbbaca0fba7a1a
                                                              SHA256:af1d434f702045685e163c36d8d24098389e7675eed56ae34a90532764df2d3b
                                                              SHA512:a440172df4a7ad4b2125f233f3f8d7f342ab20c47e47e3edd1ce3254f3f4bb42d984d0670d3f4fcbbcfa854a73ac6de8ca0bf953cb62489ac52467cf0cfdbdcd
                                                              SSDEEP:12288:R7WAGdp+LZ6FVQrWYRTCtmp2q/iTS9u6MYy:NWAGd0LZ6FiWYRTCU45PK
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q................0..............0... ...@....@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:00828e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x4a3002
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0xCCA75117 [Thu Oct 20 18:48:55 2078 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:v4.0.30319
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa2fb00x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x5f8.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xa2f940x1c.text
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000xa10080xa1200False0.89808445258data7.88279722869IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xa40000x5f80x600False0.439453125data4.24639037543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0xa60000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_VERSION0xa40900x366data
                                                              RT_MANIFEST0xa44080x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Version Infos

                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              LegalCopyrightCopyright Integra Wealth
                                                              Assembly Version1.8.9.10
                                                              InternalNamerb.exe
                                                              FileVersion1.9.1.0
                                                              CompanyNameIntegra Wealth
                                                              LegalTrademarks
                                                              Comments
                                                              ProductNameReplacementFallback
                                                              ProductVersion1.9.1.0
                                                              FileDescriptionReplacementFallback
                                                              OriginalFilenamerb.exe

                                                              Network Behavior

                                                              Snort IDS Alerts

                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                              04/12/21-10:48:02.995749ICMP384ICMP PING192.168.2.693.184.221.240
                                                              04/12/21-10:48:03.030703ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                                              04/12/21-10:48:03.031631ICMP384ICMP PING192.168.2.693.184.221.240
                                                              04/12/21-10:48:03.067430ICMP449ICMP Time-To-Live Exceeded in Transit5.56.20.161192.168.2.6
                                                              04/12/21-10:48:03.067823ICMP384ICMP PING192.168.2.693.184.221.240
                                                              04/12/21-10:48:03.110774ICMP449ICMP Time-To-Live Exceeded in Transit81.95.15.57192.168.2.6
                                                              04/12/21-10:48:03.111262ICMP384ICMP PING192.168.2.693.184.221.240
                                                              04/12/21-10:48:03.153152ICMP449ICMP Time-To-Live Exceeded in Transit152.195.101.202192.168.2.6
                                                              04/12/21-10:48:03.153617ICMP384ICMP PING192.168.2.693.184.221.240
                                                              04/12/21-10:48:03.195257ICMP449ICMP Time-To-Live Exceeded in Transit152.195.101.129192.168.2.6
                                                              04/12/21-10:48:03.195877ICMP384ICMP PING192.168.2.693.184.221.240
                                                              04/12/21-10:48:03.236459ICMP408ICMP Echo Reply93.184.221.240192.168.2.6

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Apr 12, 2021 10:49:54.191900969 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:54.385782003 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:54.386179924 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:54.859627962 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:54.860271931 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:55.054825068 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:55.055085897 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:55.260812044 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:55.305738926 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:55.347160101 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:55.565828085 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:55.565866947 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:55.565891981 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:55.565908909 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:55.565994978 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:55.566126108 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:55.571527004 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:55.606297970 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:55.801290989 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:55.852679968 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:56.069519043 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:56.268513918 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:56.270733118 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:56.464813948 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:56.465893984 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:56.681178093 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:56.682378054 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:56.876218081 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:56.879336119 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:57.102574110 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:57.103195906 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:57.298124075 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:57.299489975 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:57.299664974 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:57.300602913 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:57.300720930 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:57.493074894 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:57.493123055 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:57.494285107 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:57.494313002 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:57.504060030 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:57.555977106 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:59.171813965 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:59.368077040 CEST58749753198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:49:59.368302107 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:59.476660967 CEST49753587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:49:59.905551910 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:00.101599932 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:00.101917028 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:00.324060917 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:00.324637890 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:00.519011974 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:00.519304991 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:00.717719078 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:00.718795061 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:00.923458099 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:00.923491955 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:00.923504114 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:00.923511982 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:00.923820972 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:00.925647974 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:00.933744907 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:01.129595041 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:01.133305073 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:01.327502012 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:01.327948093 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:01.521976948 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:01.523004055 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:01.722630978 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:01.723248005 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:01.916877031 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:01.917229891 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:02.116987944 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:02.137140036 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:02.331204891 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:02.333000898 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:02.333101034 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:02.333214998 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:02.333313942 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:02.333487034 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:02.333561897 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:02.333646059 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:02.333714962 CEST49754587192.168.2.6198.54.126.165
                                                              Apr 12, 2021 10:50:02.527345896 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:02.527398109 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:02.527415037 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:02.527431011 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:02.527446985 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:02.527465105 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:02.527491093 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:02.538470984 CEST58749754198.54.126.165192.168.2.6
                                                              Apr 12, 2021 10:50:02.587754965 CEST49754587192.168.2.6198.54.126.165

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Apr 12, 2021 10:47:55.756588936 CEST6379153192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:47:55.816066027 CEST53637918.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:47:58.054960966 CEST6426753192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:47:58.112131119 CEST53642678.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:47:59.206531048 CEST4944853192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:47:59.255312920 CEST53494488.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:00.397649050 CEST6034253192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:00.449237108 CEST53603428.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:01.797868967 CEST6134653192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:01.846671104 CEST53613468.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:02.931085110 CEST5177453192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:02.937936068 CEST5602353192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:02.986511946 CEST53560238.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:02.994849920 CEST53517748.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:11.893841982 CEST5838453192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:11.946032047 CEST53583848.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:29.895128965 CEST6026153192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:29.946644068 CEST53602618.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:33.924118996 CEST5606153192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:33.983228922 CEST53560618.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:45.860733032 CEST5833653192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:45.910515070 CEST53583368.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:47.094057083 CEST5378153192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:47.142798901 CEST53537818.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:47.889925003 CEST5406453192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:48.000396013 CEST53540648.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:48.513565063 CEST5281153192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:48.653605938 CEST53528118.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:49.224756956 CEST5529953192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:49.316055059 CEST6374553192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:49.317795992 CEST53552998.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:49.381371975 CEST53637458.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:49.758485079 CEST5005553192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:49.776926041 CEST6137453192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:49.816907883 CEST53500558.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:49.826123953 CEST53613748.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:50.388044119 CEST5033953192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:50.476705074 CEST53503398.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:51.029290915 CEST6330753192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:51.086013079 CEST53633078.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:51.509377003 CEST4969453192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:51.566610098 CEST53496948.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:52.938544989 CEST5498253192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:52.996104002 CEST53549828.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:53.824960947 CEST5001053192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:53.886890888 CEST53500108.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:54.473404884 CEST6371853192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:54.530843973 CEST53637188.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:56.052721024 CEST6211653192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:56.104418039 CEST53621168.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:57.568150997 CEST6381653192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:57.616981983 CEST53638168.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:48:58.355361938 CEST5501453192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:48:58.412851095 CEST53550148.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:00.883996964 CEST6220853192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:00.935914993 CEST53622088.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:04.266478062 CEST5757453192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:04.438817024 CEST53575748.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:04.957335949 CEST5181853192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:05.006026030 CEST53518188.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:05.756541014 CEST5662853192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:05.824378014 CEST53566288.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:05.841919899 CEST6077853192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:05.890906096 CEST53607788.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:06.659635067 CEST5379953192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:06.722001076 CEST53537998.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:35.185866117 CEST5468353192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:35.247623920 CEST53546838.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:37.821677923 CEST5932953192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:37.878963947 CEST53593298.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:39.156030893 CEST6402153192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:39.207937956 CEST53640218.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:42.658782005 CEST5612953192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:42.707505941 CEST53561298.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:44.193980932 CEST5817753192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:44.242670059 CEST53581778.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:47.130911112 CEST5070053192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:47.179882050 CEST53507008.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:54.015028000 CEST5406953192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:54.093194962 CEST53540698.8.8.8192.168.2.6
                                                              Apr 12, 2021 10:49:59.754203081 CEST6117853192.168.2.68.8.8.8
                                                              Apr 12, 2021 10:49:59.903330088 CEST53611788.8.8.8192.168.2.6

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Apr 12, 2021 10:49:54.015028000 CEST192.168.2.68.8.8.80xa9b7Standard query (0)server126.web-hosting.comA (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:49:59.754203081 CEST192.168.2.68.8.8.80xc2bStandard query (0)server126.web-hosting.comA (IP address)IN (0x0001)

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Apr 12, 2021 10:49:54.093194962 CEST8.8.8.8192.168.2.60xa9b7No error (0)server126.web-hosting.com198.54.126.165A (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:49:59.903330088 CEST8.8.8.8192.168.2.60xc2bNo error (0)server126.web-hosting.com198.54.126.165A (IP address)IN (0x0001)

                                                              SMTP Packets

                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                              Apr 12, 2021 10:49:54.859627962 CEST58749753198.54.126.165192.168.2.6220-server126.web-hosting.com ESMTP Exim 4.94 #2 Mon, 12 Apr 2021 04:49:54 -0400
                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                              220 and/or bulk e-mail.
                                                              Apr 12, 2021 10:49:54.860271931 CEST49753587192.168.2.6198.54.126.165EHLO 065367
                                                              Apr 12, 2021 10:49:55.054825068 CEST58749753198.54.126.165192.168.2.6250-server126.web-hosting.com Hello 065367 [84.17.52.3]
                                                              250-SIZE 52428800
                                                              250-8BITMIME
                                                              250-PIPELINING
                                                              250-X_PIPE_CONNECT
                                                              250-AUTH PLAIN LOGIN
                                                              250-STARTTLS
                                                              250 HELP
                                                              Apr 12, 2021 10:49:55.055085897 CEST49753587192.168.2.6198.54.126.165STARTTLS
                                                              Apr 12, 2021 10:49:55.260812044 CEST58749753198.54.126.165192.168.2.6220 TLS go ahead
                                                              Apr 12, 2021 10:50:00.324060917 CEST58749754198.54.126.165192.168.2.6220-server126.web-hosting.com ESMTP Exim 4.94 #2 Mon, 12 Apr 2021 04:50:00 -0400
                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                              220 and/or bulk e-mail.
                                                              Apr 12, 2021 10:50:00.324637890 CEST49754587192.168.2.6198.54.126.165EHLO 065367
                                                              Apr 12, 2021 10:50:00.519011974 CEST58749754198.54.126.165192.168.2.6250-server126.web-hosting.com Hello 065367 [84.17.52.3]
                                                              250-SIZE 52428800
                                                              250-8BITMIME
                                                              250-PIPELINING
                                                              250-X_PIPE_CONNECT
                                                              250-AUTH PLAIN LOGIN
                                                              250-STARTTLS
                                                              250 HELP
                                                              Apr 12, 2021 10:50:00.519304991 CEST49754587192.168.2.6198.54.126.165STARTTLS
                                                              Apr 12, 2021 10:50:00.717719078 CEST58749754198.54.126.165192.168.2.6220 TLS go ahead

                                                              Code Manipulations

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Start time:10:48:03
                                                              Start date:12/04/2021
                                                              Path:C:\Users\user\Desktop\Import shipment.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\Desktop\Import shipment.exe'
                                                              Imagebase:0xc20000
                                                              File size:662528 bytes
                                                              MD5 hash:C70DECC03A9214F65A58AE036149FB17
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.338108074.0000000003F89000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              General

                                                              Start time:10:48:07
                                                              Start date:12/04/2021
                                                              Path:C:\Users\user\Desktop\Import shipment.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:{path}
                                                              Imagebase:0xa40000
                                                              File size:662528 bytes
                                                              MD5 hash:C70DECC03A9214F65A58AE036149FB17
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.594372140.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.596645917.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >

                                                                Executed Functions

                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 765819f63289d2be21a658f7bf0c16be06424b66dfc15167bbf0d37d80fc92c8
                                                                • Instruction ID: 3b347279a0bc504fffbc0936d63841a00bc145dea09ee801f711c2e5c4fc2c8a
                                                                • Opcode Fuzzy Hash: 765819f63289d2be21a658f7bf0c16be06424b66dfc15167bbf0d37d80fc92c8
                                                                • Instruction Fuzzy Hash: C1C16EB98117468FD320DF65EC981893BB1FB85328F506309D6636FAD8D7B410AACF84
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 0162B730
                                                                • GetCurrentThread.KERNEL32 ref: 0162B76D
                                                                • GetCurrentProcess.KERNEL32 ref: 0162B7AA
                                                                • GetCurrentThreadId.KERNEL32 ref: 0162B803
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: 1e46c709a063aeb060953c72700dfa6157923978e7fce788fbb519fcfa18a4c1
                                                                • Instruction ID: 15435fa178c5187d3a03cdda18f81a4145457f90a600a51cae672f8210fd2c85
                                                                • Opcode Fuzzy Hash: 1e46c709a063aeb060953c72700dfa6157923978e7fce788fbb519fcfa18a4c1
                                                                • Instruction Fuzzy Hash: AF5143B49006598FEB54CFA9D988BEEBFF0EF88314F24849AE019A7350D7749844CF65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 0162B730
                                                                • GetCurrentThread.KERNEL32 ref: 0162B76D
                                                                • GetCurrentProcess.KERNEL32 ref: 0162B7AA
                                                                • GetCurrentThreadId.KERNEL32 ref: 0162B803
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: dcdcfa22868ddea28747321f5d0b6ad1c03e80ed5a59f46db391d0a4c72e38e9
                                                                • Instruction ID: 27f1c300b3bd58605bb3f3eaba37a8778f6e7c3a20630eedc71105649692d315
                                                                • Opcode Fuzzy Hash: dcdcfa22868ddea28747321f5d0b6ad1c03e80ed5a59f46db391d0a4c72e38e9
                                                                • Instruction Fuzzy Hash: E45144B49006498FDB54CFAAD948BEEBFF0FB88314F24845AE019A7350D774A844CF65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 50d51c22607b86e3673314c48f057c05c070a2384b039fe9a5610db71fbe975c
                                                                • Instruction ID: c90c46e3a0da27551005deddc06206cf720056152d779d0df88bd09c96fe02c8
                                                                • Opcode Fuzzy Hash: 50d51c22607b86e3673314c48f057c05c070a2384b039fe9a5610db71fbe975c
                                                                • Instruction Fuzzy Hash: FA91A2B1C093889FCB02CFA5C8915CDBFB5AF4A314F5981DBE484AB262D335985ACF51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0162FE4A
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: d42c525ce307f80741bd607231dffba7f59bd0880b0130ef829f324127771608
                                                                • Instruction ID: f274917a3a7f6b5d71b75fabb916702a9c36c15959f8fa95d69799de4ce747e7
                                                                • Opcode Fuzzy Hash: d42c525ce307f80741bd607231dffba7f59bd0880b0130ef829f324127771608
                                                                • Instruction Fuzzy Hash: FD41CFB5D00319AFDB14CF9AC884ADEBFB5BF88314F24852AE419AB210D7749845CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 01625421
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 53bba38e675dddac99b703cdb4ec656f79af6c33b701875fa30cb1600ef0ca65
                                                                • Instruction ID: 0504dd9beec388bc02ea0166ba5b9e1f49f6f4ef6dbf7fc9f1716c06a814f513
                                                                • Opcode Fuzzy Hash: 53bba38e675dddac99b703cdb4ec656f79af6c33b701875fa30cb1600ef0ca65
                                                                • Instruction Fuzzy Hash: 32410571D04628CFDB24DFA9C8847DEFBB1BF49309F25806AD409AB251DB745946CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 01625421
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 24a9854a5835032024973a581b0a5038dfae971d9a39fd79c3e23fac8b4cee32
                                                                • Instruction ID: e8affa7d21581bab401d69ecd07799d42d7daadd70042d96274f811952069da1
                                                                • Opcode Fuzzy Hash: 24a9854a5835032024973a581b0a5038dfae971d9a39fd79c3e23fac8b4cee32
                                                                • Instruction Fuzzy Hash: 35410670D04628CFDB24DFAAC8447DEFBB1BF49304F21806AD409AB251DB756945CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0162B97F
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 617e8cb606e3908638be945f4235ae70a5fbbe89fc9a79a2d81fc87e80fc304a
                                                                • Instruction ID: 91359b4087e4f866f19f918423b93de975d07f49353dbea1b149ae41aa5791aa
                                                                • Opcode Fuzzy Hash: 617e8cb606e3908638be945f4235ae70a5fbbe89fc9a79a2d81fc87e80fc304a
                                                                • Instruction Fuzzy Hash: A421E0B9D007199FDB10CFA9D984ADEBBF4EB48324F14841AE918A7311D374A944CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0162B97F
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 67e09a305c96e2cb74b854f510521f137dc8f46a70f93aabf8544c829a90eab5
                                                                • Instruction ID: 119362da7a8146469adb7092e9eb1ef3736a093d06ac90f2cb7ff32dc98f198e
                                                                • Opcode Fuzzy Hash: 67e09a305c96e2cb74b854f510521f137dc8f46a70f93aabf8544c829a90eab5
                                                                • Instruction Fuzzy Hash: E321C4B5D002189FDB10CFAAD884ADEBFF8EB49324F14841AE914A7310D374A954CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01629951,00000800,00000000,00000000), ref: 01629B62
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 5cbfed9906cc326a40ca02771b9567001d6dc47c67ac469512b6d9a0790a3490
                                                                • Instruction ID: 6ebba05407c82834d3b44eb457bdb09c9a773b061693dfdc46a470984439212b
                                                                • Opcode Fuzzy Hash: 5cbfed9906cc326a40ca02771b9567001d6dc47c67ac469512b6d9a0790a3490
                                                                • Instruction Fuzzy Hash: 561114B69007199FDB10DF9AD884ADEFBF4EB88324F14852EE919A7300C774A545CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01629951,00000800,00000000,00000000), ref: 01629B62
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 71d4546f9f902bb9d657343232d5b7a422b8f398cfecfc44905f2768be78d2d9
                                                                • Instruction ID: 76953f9ee593a76da811ab83a8a4078b435164fa7b7161b9a9f83c8bdff77f7b
                                                                • Opcode Fuzzy Hash: 71d4546f9f902bb9d657343232d5b7a422b8f398cfecfc44905f2768be78d2d9
                                                                • Instruction Fuzzy Hash: E21117B69002599FDB10CFAAD444ADEFBF4AB88324F14855AE415A7700C375A545CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 016298D6
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: f1602dc0f9fed647a1cb5225cc04d0300768ffc621496e3a9162469fa5098e5e
                                                                • Instruction ID: 9283164844345a32c15c3400657633e297cd8cbfcc5a4995027af4f3b0b26ebf
                                                                • Opcode Fuzzy Hash: f1602dc0f9fed647a1cb5225cc04d0300768ffc621496e3a9162469fa5098e5e
                                                                • Instruction Fuzzy Hash: 291120BAC006188FDB10CFAAC8447DEBBF4AF88324F14845AD428B7700C378A545CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 016298D6
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 3460a22b3121e9731924fbc6755b4a0e816b936b44a744a4f7a607117e651e93
                                                                • Instruction ID: ece59736452b629859e2b3573a39543d6827fd207930cd3edfbd156cfab28502
                                                                • Opcode Fuzzy Hash: 3460a22b3121e9731924fbc6755b4a0e816b936b44a744a4f7a607117e651e93
                                                                • Instruction Fuzzy Hash: A91102B5C006198FDB10DF9AD844ADEFBF4EB88324F15841AD429A7700C378A545CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337205214.0000000000C22000.00000002.00020000.sdmp, Offset: 00C20000, based on PE: true
                                                                • Associated: 00000001.00000002.337199345.0000000000C20000.00000002.00020000.sdmp Download File
                                                                • Associated: 00000001.00000002.337267417.0000000000CC4000.00000002.00020000.sdmp Download File
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e3da61e73659ef827b5ac00ffc73bcc8536aa42a3cfe4c2c33c608bdbfa3fd6b
                                                                • Instruction ID: c020012501e9258274ffa28d04b9fd7a7aa95266b7a21b91f77c7598e14bf562
                                                                • Opcode Fuzzy Hash: e3da61e73659ef827b5ac00ffc73bcc8536aa42a3cfe4c2c33c608bdbfa3fd6b
                                                                • Instruction Fuzzy Hash: 5BA2E09280E7D19FDB139B786DB12A1BFB1AD63214B1E48C7C0C0CF4A7E119195BE726
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4326b8168d898d3ab5fa304efbc467cee6c462b10fff5181ceeecb430c30ee45
                                                                • Instruction ID: e21a6594be267e80adb37dc361210f1b0ace677a9cd81f67f03bb226e49fab8c
                                                                • Opcode Fuzzy Hash: 4326b8168d898d3ab5fa304efbc467cee6c462b10fff5181ceeecb430c30ee45
                                                                • Instruction Fuzzy Hash: DE12E7F94117468BE330DF65ED981893BA1F745328F906308DA632FAD9D7B411AACF44
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.337884553.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2aed01dadb16077e4a5efcf7a004046d649dc457a309fc849cc50d08ba051973
                                                                • Instruction ID: 76f37efa0f0391bb989423de73ea0d4db24cdddd03966a7fefa2b6027cf9ce58
                                                                • Opcode Fuzzy Hash: 2aed01dadb16077e4a5efcf7a004046d649dc457a309fc849cc50d08ba051973
                                                                • Instruction Fuzzy Hash: 10A18F32E0061A8FCF15DFE9C8449DEBBB2FF85300B15816AE905BB261DB75A955CF80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Executed Functions

                                                                APIs
                                                                • LdrInitializeThunk.NTDLL ref: 010F0D1B
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                • String ID:
                                                                • API String ID: 243558500-0
                                                                • Opcode ID: 2cee2482e30340df0118737e3d1da721c5aa70c805a72b6d2e24343fbb3e539b
                                                                • Instruction ID: c7bf9b3f6741303d27e7ee0b55ce7d2e9c0c784ddceb89bca53812bd4f1e349d
                                                                • Opcode Fuzzy Hash: 2cee2482e30340df0118737e3d1da721c5aa70c805a72b6d2e24343fbb3e539b
                                                                • Instruction Fuzzy Hash: 9AA235B4A04228CFCB65EF24C85869DBBB6BF88305F1084E9D60AA3744DF349E85CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595802291.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 5cdf7664baf74bbcefcdd08112a8b93f79f146eb0a3c093287100a242c9a886b
                                                                • Instruction ID: e9ac41a649d1ea66d08c73d7ec7e8bb66cc97a48ab6418e165be4c675168e77b
                                                                • Opcode Fuzzy Hash: 5cdf7664baf74bbcefcdd08112a8b93f79f146eb0a3c093287100a242c9a886b
                                                                • Instruction Fuzzy Hash: 59622975E006198FDB24EFB8C8546EEBBB1AF89300F5085A9D54AAB354EF309D85CF41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 011720B3
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595716392.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                Similarity
                                                                • API ID: HookWindows
                                                                • String ID:
                                                                • API String ID: 2559412058-0
                                                                • Opcode ID: 29a4867dd7a47bdde1f50692c75b03765c1b1cd929a0e44b71ad61602bd84146
                                                                • Instruction ID: b9ddec9d3d6044c7fbf584e74608d9be6f828053919826013b34cabdc38771cb
                                                                • Opcode Fuzzy Hash: 29a4867dd7a47bdde1f50692c75b03765c1b1cd929a0e44b71ad61602bd84146
                                                                • Instruction Fuzzy Hash: 612118759002099FCB14DF99C844BEFBBF5FB88314F148419E515A7350D774A945CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • LdrInitializeThunk.NTDLL ref: 010F0D1B
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                • String ID:
                                                                • API String ID: 243558500-0
                                                                • Opcode ID: ae9c5c2f17b2ebab9e9fbd2f9b962267d907608937c5e5b04bcfb1c286ed0b09
                                                                • Instruction ID: e9a27d827dee2cd3bac5fe7c2b2f16343d1b2cc66954557d64daced8c5eaa441
                                                                • Opcode Fuzzy Hash: ae9c5c2f17b2ebab9e9fbd2f9b962267d907608937c5e5b04bcfb1c286ed0b09
                                                                • Instruction Fuzzy Hash: 5A5247B4A04228CFCB25DF70D85969CBBBABF88205F5084E9D60AA3744DF349E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • LdrInitializeThunk.NTDLL ref: 010F0D1B
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                • String ID:
                                                                • API String ID: 243558500-0
                                                                • Opcode ID: a660dbf75257a4cd13a1ce871310c6aaea424288a9053a0db6519ca78ebf7263
                                                                • Instruction ID: caea00d4ac70520eac08f5990c5fd1a6b9f0bbec10f3cf420e01cf1433edf62d
                                                                • Opcode Fuzzy Hash: a660dbf75257a4cd13a1ce871310c6aaea424288a9053a0db6519ca78ebf7263
                                                                • Instruction Fuzzy Hash: 115248B4A04228CFCB25DF70D85969CBBBABF88205F5084E9D60AA3744DF349E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • LdrInitializeThunk.NTDLL ref: 010F0D1B
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                • String ID:
                                                                • API String ID: 243558500-0
                                                                • Opcode ID: 0cb72270c3d840787cea662cf1022da7e123439dbb29a47201983c25c65a7611
                                                                • Instruction ID: c975ff0796713a2bce32139c6548aa959b83ced61dcf98cb5fcb451e57ed1505
                                                                • Opcode Fuzzy Hash: 0cb72270c3d840787cea662cf1022da7e123439dbb29a47201983c25c65a7611
                                                                • Instruction Fuzzy Hash: F25248B4A04228CFCB25DF70D85969CBBBABF88205F5084E9D60AA3744DF349E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • LdrInitializeThunk.NTDLL ref: 010F0D1B
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                • String ID:
                                                                • API String ID: 243558500-0
                                                                • Opcode ID: d4d46d9ac9b6987693dd341c114bc37a5842586029f850b13ee3aabfb757a99d
                                                                • Instruction ID: 28eb371d1c303b04c94c0b3ebf2483f2aaa70d2c95a54ea2e31d408032ddf42b
                                                                • Opcode Fuzzy Hash: d4d46d9ac9b6987693dd341c114bc37a5842586029f850b13ee3aabfb757a99d
                                                                • Instruction Fuzzy Hash: 295248B4A04228CFCB25DF70D85969CBBBABF88205F5084E9D60AA3744DF349E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • LdrInitializeThunk.NTDLL ref: 010F0D1B
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                • String ID:
                                                                • API String ID: 243558500-0
                                                                • Opcode ID: cbe54991cb115a37b3d3ff30eb0a199aea159e29a699206534e24496744d3ea6
                                                                • Instruction ID: abd17fa60e862b19ed6a64f4f0598d7d6cbb37bf2dd5481a88032ecb824c5daa
                                                                • Opcode Fuzzy Hash: cbe54991cb115a37b3d3ff30eb0a199aea159e29a699206534e24496744d3ea6
                                                                • Instruction Fuzzy Hash: A95268B4A04228CFCB25DF70D85969CBBBABF88205F5084E9D60AA3740DF349E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • LdrInitializeThunk.NTDLL ref: 010F0D1B
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionInitializeThunkUser
                                                                • String ID:
                                                                • API String ID: 243558500-0
                                                                • Opcode ID: 64022c1cd09179af1551592c30bf0827e8aa5b4a3efa4be115a41d03a1a6b9ff
                                                                • Instruction ID: 2338f0108856b9af42b53c9a5771d2e3c22ec81b8660d63b5bae2f9364ea7204
                                                                • Opcode Fuzzy Hash: 64022c1cd09179af1551592c30bf0827e8aa5b4a3efa4be115a41d03a1a6b9ff
                                                                • Instruction Fuzzy Hash: E25259B4A04229CFCB25DF70D85969CBBBABF88205F5084E9D60AA3740DF349E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 9295f8272f475ebca58a5e72e9c6426a0427afa6a4cde798a69d3da896c9bbb2
                                                                • Instruction ID: 95b114f6a5a26cb27b38e491bfbadedf9aa87c2007790821e8ebfde96f2758f9
                                                                • Opcode Fuzzy Hash: 9295f8272f475ebca58a5e72e9c6426a0427afa6a4cde798a69d3da896c9bbb2
                                                                • Instruction Fuzzy Hash: 942237B4A08229CFCB25DF20D84569CBBBABF88245F5084EDD60AA3740DF359E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 3606536c77a3edee0e953a7810e6d96ba5bbd8795efcf30489f8aacfe04dc85f
                                                                • Instruction ID: 7d397700ac61f97482a37f963b64b16f4c0da2123761bca3bd743af62106a64e
                                                                • Opcode Fuzzy Hash: 3606536c77a3edee0e953a7810e6d96ba5bbd8795efcf30489f8aacfe04dc85f
                                                                • Instruction Fuzzy Hash: 581237B4A08229CFCB25DF20D84569CBBBABF88245F5084EDD60AA3740DF359E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 354f0187a9739065d5e8585c63ee49c80644cd9ff7ac03d0299790d0bb912f02
                                                                • Instruction ID: 1f2884a8effb2fe269cfd85e2e1fe1a24d7fc51676a50e6eddef8f02b2d6946d
                                                                • Opcode Fuzzy Hash: 354f0187a9739065d5e8585c63ee49c80644cd9ff7ac03d0299790d0bb912f02
                                                                • Instruction Fuzzy Hash: 451237B4A08229CFCB25DF20D84569CBBBABF88245F5084EDD60AA3740DF359E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 84bde4c2b3253cdb693783dce5089a1194939148468c1687f9073db0260651ed
                                                                • Instruction ID: 47cfa6f87b557e9737494815a3dff14600a9290eaba6efd08a58d4f56f74df01
                                                                • Opcode Fuzzy Hash: 84bde4c2b3253cdb693783dce5089a1194939148468c1687f9073db0260651ed
                                                                • Instruction Fuzzy Hash: 4B1247B4A04229CFCB65DF20D84569CBBBABF88245F5084EDD60AA3740DF349E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: db0b11e39d0b4cc628e64cb3f56a3a206ef65210ebf0fe066bd6c37b5b2ac5d6
                                                                • Instruction ID: b764040d34e5ed68122d37a24cf879c9ee92c31101d069b2ba85197b559a67bc
                                                                • Opcode Fuzzy Hash: db0b11e39d0b4cc628e64cb3f56a3a206ef65210ebf0fe066bd6c37b5b2ac5d6
                                                                • Instruction Fuzzy Hash: FD1237B4A04229CFCB25DF20D85569CBBBABF88245F5084EDD60AA3740DF349E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 5098722f4bcf63775c06daac2fce8c0ef39e85fa48f04a4e20b0d31edb876e2b
                                                                • Instruction ID: d6c9bace23e5659b620b2130212111e5ab7b457b725066f757eb7e07e997812c
                                                                • Opcode Fuzzy Hash: 5098722f4bcf63775c06daac2fce8c0ef39e85fa48f04a4e20b0d31edb876e2b
                                                                • Instruction Fuzzy Hash: 351237B4A0422DCFCB25DF20D85569CBBBABF88245F5084E9D60AA3740DF349E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: bad3bae7e0f0d813c1a8c4ac4027e71441671bdcc39fab8cf3dce9db6e34b3ff
                                                                • Instruction ID: 1753229f6c702ac6e598e2f6cfb6ab4b5ca80344227c4802cd40f46dd5d7fd38
                                                                • Opcode Fuzzy Hash: bad3bae7e0f0d813c1a8c4ac4027e71441671bdcc39fab8cf3dce9db6e34b3ff
                                                                • Instruction Fuzzy Hash: 620237B4A04229CFCB25DF20D85569CBBBABF88245F5084E9D60AA3740DF349E91CF65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 796c70ce6c8a5e4d67d8b398ef63ae9d354ef53cc0671a2868d6afdb02fdc126
                                                                • Instruction ID: 7f480a6d2cedfa2b4a7e9520b30bd933d7aa311bf9d1fda3faadf7eb20b5a6de
                                                                • Opcode Fuzzy Hash: 796c70ce6c8a5e4d67d8b398ef63ae9d354ef53cc0671a2868d6afdb02fdc126
                                                                • Instruction Fuzzy Hash: C30257B4A0422DCFCB25DF20D84569CBBBABF88245F5084E9D60AA3740DF349E91CF65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 4ddc0137130ab6408697ac098a1a0d85dc976e8c0bb71e3f44ba85e0a1149a9b
                                                                • Instruction ID: 2f0ad41b09eaee587ae790ba9e1ff42a66f936889fe5d87feada7958d2f64c54
                                                                • Opcode Fuzzy Hash: 4ddc0137130ab6408697ac098a1a0d85dc976e8c0bb71e3f44ba85e0a1149a9b
                                                                • Instruction Fuzzy Hash: BC0248B4A0422DCFCB25DF20D85569CBBBABF88245F5084E9D60AA3740DF349E91CF65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 20ad90583c3cea2a4a38e79f55f66f572bd7b1e7109ace6d2225523c97eddae6
                                                                • Instruction ID: 1432a766ab75e79b5a87934e4d148902e27edfa505f03013040c7c77729eaed8
                                                                • Opcode Fuzzy Hash: 20ad90583c3cea2a4a38e79f55f66f572bd7b1e7109ace6d2225523c97eddae6
                                                                • Instruction Fuzzy Hash: 9C0248B4A0422DCFCB25DF20D89569CBBBABF88245F5084E9D60AA3740DF349E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 2ce56b43ea55e839e27fe47001c5e386ab4dd4b0fb4dce119ecff603adaeb345
                                                                • Instruction ID: 4601da4811567581735aef2192067192473a9adc2815a3b30bdb900b805204fb
                                                                • Opcode Fuzzy Hash: 2ce56b43ea55e839e27fe47001c5e386ab4dd4b0fb4dce119ecff603adaeb345
                                                                • Instruction Fuzzy Hash: 2B0228B4A04229CFCB25DF30D85569CBBBABF88245F5084E9D60AA3740DF349E91CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1355
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 271f86d1c0636b1e651fcf6ce07ab300d7b0336d03a434d1ac7d22f42df0c673
                                                                • Instruction ID: 573e690268ea9f236993f765bf3b07c8c01d80f2599f814456a665161440e0b8
                                                                • Opcode Fuzzy Hash: 271f86d1c0636b1e651fcf6ce07ab300d7b0336d03a434d1ac7d22f42df0c673
                                                                • Instruction Fuzzy Hash: 96F138B4A0422DCFCB25DF20D85569CBBBABF88245F5084E9D60AA3740DF349E91CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 9fe12c1865927853accb01f789b2a127610d9d75ab610c402959ab1e8ccfaab6
                                                                • Instruction ID: e391f68943f2af5dcb2cf8293d687296c71adc36d10422d8cab987c6f625a601
                                                                • Opcode Fuzzy Hash: 9fe12c1865927853accb01f789b2a127610d9d75ab610c402959ab1e8ccfaab6
                                                                • Instruction Fuzzy Hash: A5F138B4A0422DCFCB25DF20D85569CBBBABF88245F5084E9D60AA3740DF349E91CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 71aefa62ba634f5c2d4a6fed75405d159cad9c3368d42459eeab8c010f6b3b39
                                                                • Instruction ID: 7c61256207707b06602972452095b6086d535043c74ef3244163eb90f9b1123c
                                                                • Opcode Fuzzy Hash: 71aefa62ba634f5c2d4a6fed75405d159cad9c3368d42459eeab8c010f6b3b39
                                                                • Instruction Fuzzy Hash: 0CF139B4A0422DCFCB25DF20C85569CBBBABF88245F5084E9D60AA3740DF349E95CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: eaf9174a2a6b15d38bbf7539ccd8d2f932a722608e2086b40f8c0de5ea8e8a2a
                                                                • Instruction ID: a428713fb8b35bd43222fb9c6aaf35233a775e14d7bd52426460e8e4acfedc0b
                                                                • Opcode Fuzzy Hash: eaf9174a2a6b15d38bbf7539ccd8d2f932a722608e2086b40f8c0de5ea8e8a2a
                                                                • Instruction Fuzzy Hash: D2F14AB4A0422DCFCB25DF24C8556ACBBBABF88205F5084E9D60AA3740DF349E95CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 4dce46acb1a22518dd90ebe3229144df73252d67fe6a38f351031d5f80f4adbd
                                                                • Instruction ID: 09da071e895b15699efded88f846f2e14c20481d7d35fcf077d95a9db6f6fa6b
                                                                • Opcode Fuzzy Hash: 4dce46acb1a22518dd90ebe3229144df73252d67fe6a38f351031d5f80f4adbd
                                                                • Instruction Fuzzy Hash: DCE13AB4A0422DCFCB24DF24C85569DBBBABF88205F5084E9D60AA3740DF349E95CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 4e8442abc412b38b13d8537d8954f3f097384a08a687682920726f33c43fa251
                                                                • Instruction ID: 955874eb01756acd393c494004c7089253d3f6887501c4a9e8f07d27e41be1e4
                                                                • Opcode Fuzzy Hash: 4e8442abc412b38b13d8537d8954f3f097384a08a687682920726f33c43fa251
                                                                • Instruction Fuzzy Hash: 6AE129B4A04229CFCB24DF24C85569DBBBABF88205F5084E9D60AA3740DF349E95CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 3cca5e91a536adf415839903f7f45b1b15fdd2997eeabfc82596e4298e1d42ea
                                                                • Instruction ID: a592f3b50817c91f90f688d4c70a7f27a75ae9df01fff6b9ef551b9a4b505949
                                                                • Opcode Fuzzy Hash: 3cca5e91a536adf415839903f7f45b1b15fdd2997eeabfc82596e4298e1d42ea
                                                                • Instruction Fuzzy Hash: 1BE12AB4A0422DCFCB24DF24C85569DBBBABF88205F5084E9D60AA3740DF349E95CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: a5edc2bed3793936fe879828615bb9ac4e7d87ed20f4b8ca72cc514b21b9b595
                                                                • Instruction ID: 79906f41c665c465dad3af65fe4a801d3f94b40dd658f97f2f17f4d332a50064
                                                                • Opcode Fuzzy Hash: a5edc2bed3793936fe879828615bb9ac4e7d87ed20f4b8ca72cc514b21b9b595
                                                                • Instruction Fuzzy Hash: 65E129B4A04229CFCB24DF24C85579DBBBABF88205F5084E9D60AA3740DF349E95CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 2c42ef47500697f38c48e9818e2a63488d182aa8e0381ea8eb2ebe274103936f
                                                                • Instruction ID: 711dd415538469e87aa0e1278a1dcec1f2e01a1acb3d07a61c9a147e553f5713
                                                                • Opcode Fuzzy Hash: 2c42ef47500697f38c48e9818e2a63488d182aa8e0381ea8eb2ebe274103936f
                                                                • Instruction Fuzzy Hash: 29D13AB4A04229CFCB24DF24C85579DBBB6BF88205F5084E9D60AA3740DF349E95CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 19990a72f8de675d3ab94df3ddd81525114f38e829eeb2f5dbadac99f2ea1fb8
                                                                • Instruction ID: 4377b179286063aa60f55c4528b317b7f393d7988f9639305832b29ebc220415
                                                                • Opcode Fuzzy Hash: 19990a72f8de675d3ab94df3ddd81525114f38e829eeb2f5dbadac99f2ea1fb8
                                                                • Instruction Fuzzy Hash: E6D129B4A04229CFCB24DF24C85579DBBB6BF88205F5084E9D60AA3740DF349E95CF69
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: cc2d834bf0800f9f02a282b6aca86e3a9fde219e28ff9acf32f045fd6a524437
                                                                • Instruction ID: d42c21aba83f24c559337879351e295a58977ddfa61b17d7bcd6c1d59029fa1a
                                                                • Opcode Fuzzy Hash: cc2d834bf0800f9f02a282b6aca86e3a9fde219e28ff9acf32f045fd6a524437
                                                                • Instruction Fuzzy Hash: 7ED118B4A04228CFCB64DF24C85579DBBB6BF88205F5084E9D60AA3740DF349E95CF69
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: b8b337c3dd1274d3282e4116a4e8393dc24bc72a2fa0dc3e2cfd6507724b63ee
                                                                • Instruction ID: 125cad937b1eaaa909828bd76debfd1b2eac0512e4ef862fddca29088c2c2dec
                                                                • Opcode Fuzzy Hash: b8b337c3dd1274d3282e4116a4e8393dc24bc72a2fa0dc3e2cfd6507724b63ee
                                                                • Instruction Fuzzy Hash: D5C128B4A04228CFCB64DF24C85579DBBB6BF88205F5084E9D60AA3740DF349E95CF69
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F1685
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 05359e980282cb2ed5c5728950cea5392fa33990a4c4b32e0ec6a4c0c973c341
                                                                • Instruction ID: 29d739c2b5bb807777bafde5a889b218031b9be22e8f0cb26b71fd783988eb02
                                                                • Opcode Fuzzy Hash: 05359e980282cb2ed5c5728950cea5392fa33990a4c4b32e0ec6a4c0c973c341
                                                                • Instruction Fuzzy Hash: 28C119B4A04228CFCB64DF24C85579DBBB6BF88205F5084E9D60AA3740DF349E95CF69
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: dd348df2e3d2ad00811d86b4a77ff0a4e1dbbdf500e078c41a22fed74195465e
                                                                • Instruction ID: 79f18a4202e108df55929739f52a6fcac4fb2e96d9f3a3490ac23c86f1173075
                                                                • Opcode Fuzzy Hash: dd348df2e3d2ad00811d86b4a77ff0a4e1dbbdf500e078c41a22fed74195465e
                                                                • Instruction Fuzzy Hash: 9EC119B4A04229CFCB24DF24C8557ADBBB6BF88205F5084E9D60AA3740DF349E95CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: f3bd08df619daa9f839f2c4a4b5d731005c66b6cc4275f9497f3b6be4651c8ec
                                                                • Instruction ID: b516269e2de8a3fb4d6bde5ce62be6dc326d11748dadc150c6f233feeb795499
                                                                • Opcode Fuzzy Hash: f3bd08df619daa9f839f2c4a4b5d731005c66b6cc4275f9497f3b6be4651c8ec
                                                                • Instruction Fuzzy Hash: FEB129B4A04228CFCB64DF24C8557ADBBB6BF88205F5084E9D60AA3740DF349E95CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 18563a506f62973c51645bf6967ae134358097ae6873c668ce8343fa0ed1c2c5
                                                                • Instruction ID: 30ec1a37a4a0137e7b55665a4573214025f5d00855b6319ac0053cf76ee2f461
                                                                • Opcode Fuzzy Hash: 18563a506f62973c51645bf6967ae134358097ae6873c668ce8343fa0ed1c2c5
                                                                • Instruction Fuzzy Hash: 09B128B4A04228CFCB64DF24C8557ADBBB6BF88205F5084E9D60AA3740DF349E95CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 32bb3920fef8dadfe70a6d3e11dd7667411b2fdbacde6a1e724a86119dc42aea
                                                                • Instruction ID: 11b2b74b15179f0b6b785e1d577fa0dfa31fe409a771b2df05723fb7c6786a08
                                                                • Opcode Fuzzy Hash: 32bb3920fef8dadfe70a6d3e11dd7667411b2fdbacde6a1e724a86119dc42aea
                                                                • Instruction Fuzzy Hash: 19B139B4A04228CFCB64DF24C8557ADBBB6BF88205F5084E9D60AA3740DF349E95CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 30785ed4c1e8b7690cd10e0748604ed62181a5a3125558261e6fad00f930e8ac
                                                                • Instruction ID: 6d2c0306bcaa6e5e5473f58178295c2369e9bd5bcaaaad002bde13b68ce804c5
                                                                • Opcode Fuzzy Hash: 30785ed4c1e8b7690cd10e0748604ed62181a5a3125558261e6fad00f930e8ac
                                                                • Instruction Fuzzy Hash: 7EA13AB4A04229CFCB24DF24C8557ADBBBABF88205F5084E9D60AA3740DF349E95CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: e580b51f71b0533d766d11d292318386cef2e20fcd842861aeef3374a62b4dd1
                                                                • Instruction ID: efa26722d40111762db58d3bd4a78878a8adc068b7b25b65d65fe3a60a70b6f7
                                                                • Opcode Fuzzy Hash: e580b51f71b0533d766d11d292318386cef2e20fcd842861aeef3374a62b4dd1
                                                                • Instruction Fuzzy Hash: 14A128B4A04229CFCB64DF24C8597ADBBB6BF88205F5084E9D60AA3740DF349E85CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 8949fbbac19c6a0bf653b957c3498a63e995b6ca513282c2a47a89f180b7f0ba
                                                                • Instruction ID: ac930fb9fdb8010a91feb0ca5abfb07e8b1900039f04540d0aee831d739f0a73
                                                                • Opcode Fuzzy Hash: 8949fbbac19c6a0bf653b957c3498a63e995b6ca513282c2a47a89f180b7f0ba
                                                                • Instruction Fuzzy Hash: 2E9129B4A04229CFCB64DB34C8557ADBBB6BF88205F5084E9D60AA3740DF349E85CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • KiUserExceptionDispatcher.NTDLL ref: 010F18E5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595596194.00000000010F0000.00000040.00000001.sdmp, Offset: 010F0000, based on PE: false
                                                                Similarity
                                                                • API ID: DispatcherExceptionUser
                                                                • String ID:
                                                                • API String ID: 6842923-0
                                                                • Opcode ID: 955c6321282d16423c4dfd418ecd3cdaf69e73b6a44d07e93fad035cd7952299
                                                                • Instruction ID: 09b2799ebb6fa4f8062716dca93f53d5c7ea3bab2d24f08932fbd0efd04a6eea
                                                                • Opcode Fuzzy Hash: 955c6321282d16423c4dfd418ecd3cdaf69e73b6a44d07e93fad035cd7952299
                                                                • Instruction Fuzzy Hash: 699139B4A04229CFCB64DF24C8597ADBBB6BF88205F5084E9D60AA3740DF349E85CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595802291.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: a62b706405b575756bf666dddff161a96fc98bf116859aab0416b6d40f942ee0
                                                                • Instruction ID: 961ee17a068e511c66e8171f658cbdfa11a87d2e8d04252e9fedc96a92e23e07
                                                                • Opcode Fuzzy Hash: a62b706405b575756bf666dddff161a96fc98bf116859aab0416b6d40f942ee0
                                                                • Instruction Fuzzy Hash: 80615A34A052159FDB28EBB5D4987AEBBF2AF84304F518828E416EB394DF389845CF51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595802291.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: bd74943648cc449d7e1afe9856fb63cfa60f43df8f37c4d629a96dae14bf6255
                                                                • Instruction ID: 9fccf0bf52ee3738a681820fb3087236a3f87aee8ca3b869cecdd1cdf53ecdb7
                                                                • Opcode Fuzzy Hash: bd74943648cc449d7e1afe9856fb63cfa60f43df8f37c4d629a96dae14bf6255
                                                                • Instruction Fuzzy Hash: D351A731B002059FCB08EBB4C854AEEBBB5BF45204F44C969E516DB795EF70E844CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595802291.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 640a341074bbf45688000411f3e1aef359207751f3202b341c30040c9f09e09a
                                                                • Instruction ID: d4ab6a5890eb40265ced8058fc005765e48e227ece2145c6d2db0d929648eff4
                                                                • Opcode Fuzzy Hash: 640a341074bbf45688000411f3e1aef359207751f3202b341c30040c9f09e09a
                                                                • Instruction Fuzzy Hash: F1419475B002059FCB18EBB4C884AEEBBB5BF44204F14C929E516DB795EF70E844CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595716392.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 92a9e83c3a39ce04c9b0bf482cf31247b3828d703f0f0cadfa62eb742b43ac1f
                                                                • Instruction ID: e56a92c4a8947a28b9d4c9294049d8658b09567661544f2b1f3cf371292c5ed5
                                                                • Opcode Fuzzy Hash: 92a9e83c3a39ce04c9b0bf482cf31247b3828d703f0f0cadfa62eb742b43ac1f
                                                                • Instruction Fuzzy Hash: 95413671E043958FCB15CF79C8446DEBBF4EF8A214F19856AD504AB341DB38A845CBE1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 011AD79C
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595802291.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID:
                                                                • API String ID: 71445658-0
                                                                • Opcode ID: 1b02d92f59af4fcb99381eb00e7e91f16e89d11aa1f672eb2e10dba4bcad5dca
                                                                • Instruction ID: c7f8810b8389910c15afaeb574b8c75a2a83ee3993db984f53524b42348b5a79
                                                                • Opcode Fuzzy Hash: 1b02d92f59af4fcb99381eb00e7e91f16e89d11aa1f672eb2e10dba4bcad5dca
                                                                • Instruction Fuzzy Hash: A94157B49047498FDB04CFA8D488A9EBFF5BF49308F29C16AE408AB352C7749845CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595802291.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: f4bc117a838366b5b3528275b01d5a128995dde4b6ba7361a635776c46b8c20f
                                                                • Instruction ID: c7104b625819014e0c90f4b11c60e10e16e452b4a6862f3f7f80198cf1e38cf9
                                                                • Opcode Fuzzy Hash: f4bc117a838366b5b3528275b01d5a128995dde4b6ba7361a635776c46b8c20f
                                                                • Instruction Fuzzy Hash: A831A134A05348DFC719DFA8D894AAD7FB1FF45304F5484A9D0049B352DB36A849CF51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 011ADA09
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595802291.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                Similarity
                                                                • API ID: QueryValue
                                                                • String ID:
                                                                • API String ID: 3660427363-0
                                                                • Opcode ID: ff34aaab4f3d0f69446d84681d2a511ef86e3fc26a83fc8e2928c6a7eb8272a9
                                                                • Instruction ID: d4b7b20624c4a0c2a55705d53e86e77604257a0258e61346bb5ad8727a4a9c18
                                                                • Opcode Fuzzy Hash: ff34aaab4f3d0f69446d84681d2a511ef86e3fc26a83fc8e2928c6a7eb8272a9
                                                                • Instruction Fuzzy Hash: DD4101B5D002589FCB14CFA9D884A8EBFF5BF48714F58805AE819AB710D7349905CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 011ADA09
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595802291.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                Similarity
                                                                • API ID: QueryValue
                                                                • String ID:
                                                                • API String ID: 3660427363-0
                                                                • Opcode ID: 23d680b4c7a89e6f8341752b4b4487bdae71ec2b857c6c44aaacc927afe8050d
                                                                • Instruction ID: f2e6f8d9126cd9cf3c3740e27958592c05f510747963e966bcf572b24f8c8325
                                                                • Opcode Fuzzy Hash: 23d680b4c7a89e6f8341752b4b4487bdae71ec2b857c6c44aaacc927afe8050d
                                                                • Instruction Fuzzy Hash: B431FFB5D006589FCB14CFAAD884A9EBFF5BB48710F54802AE819AB710D7309905CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 011AD79C
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595802291.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID:
                                                                • API String ID: 71445658-0
                                                                • Opcode ID: de99cb82109479887d7e4ca7f6d3377e63585e4b617dd47e762d4f6b59a6c50d
                                                                • Instruction ID: 59209165be5cb3ec6a2dbdc5038a27195d1489f95b6a8eaa93c8edcacb32783d
                                                                • Opcode Fuzzy Hash: de99cb82109479887d7e4ca7f6d3377e63585e4b617dd47e762d4f6b59a6c50d
                                                                • Instruction Fuzzy Hash: DE3132B4C006888FDB18CF99C588A8EFFF5BF48304F68C16AE409AB340C7749844CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 011720B3
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595716392.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                Similarity
                                                                • API ID: HookWindows
                                                                • String ID:
                                                                • API String ID: 2559412058-0
                                                                • Opcode ID: b607b6e21966d4a0ad32f42da1b09475f4843b1f14f8a79be81a8fc4b5f1f7cd
                                                                • Instruction ID: bd5030676ec49ddf2763c594e1acc0f0d3b9c7a4cd3470bff48eaca2d38fe903
                                                                • Opcode Fuzzy Hash: b607b6e21966d4a0ad32f42da1b09475f4843b1f14f8a79be81a8fc4b5f1f7cd
                                                                • Instruction Fuzzy Hash: 382135759002099FCB14CFAAD844BEEBBF5FF88324F14841AE414A7350CB74A945CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,?,0117D731,00000800), ref: 0117D7C2
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595716392.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 3a1905851b9562e5ead2681a28baf3226c4e291423ec6f8aa81799fa1dd5499d
                                                                • Instruction ID: f30b4f47abb40253f656ee068d3b569cd8addf4b5f0334338504bbe1e68872dd
                                                                • Opcode Fuzzy Hash: 3a1905851b9562e5ead2681a28baf3226c4e291423ec6f8aa81799fa1dd5499d
                                                                • Instruction Fuzzy Hash: 222133B68002489FDB10CFAAD444ADEFBF8EF88724F14842EE515A7200C375A54ACFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,?,0117D731,00000800), ref: 0117D7C2
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595716392.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: eac47a8068df2e0646008ed7e6332b74c7991d30fb34e655f8e3e263779f9f8d
                                                                • Instruction ID: d600843677de933d0f36337e52593f1a4808c25967a0e907bc9a91ebe857950e
                                                                • Opcode Fuzzy Hash: eac47a8068df2e0646008ed7e6332b74c7991d30fb34e655f8e3e263779f9f8d
                                                                • Instruction Fuzzy Hash: 4E11D3B69006499FDB14DFAAD444A9EFBF4EF88324F14842AE515A7700C374A545CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                APIs
                                                                • GlobalMemoryStatusEx.KERNEL32 ref: 011710B7
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595716392.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false
                                                                Similarity
                                                                • API ID: GlobalMemoryStatus
                                                                • String ID:
                                                                • API String ID: 1890195054-0
                                                                • Opcode ID: 54e2919069d42495aa65f0443ee483997d7738154ae59192c03c0adbe28004b9
                                                                • Instruction ID: f738b8ca9d0370333aa5118cd58ecc40abf50001a7a22344cc37485a30af7211
                                                                • Opcode Fuzzy Hash: 54e2919069d42495aa65f0443ee483997d7738154ae59192c03c0adbe28004b9
                                                                • Instruction Fuzzy Hash: BC1124B1C002599BCB10CFAAC844BDEFBB4BB48224F14816AE918A7240D778A945CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595511905.00000000010AD000.00000040.00000001.sdmp, Offset: 010AD000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a96e38a28e8ec7dd7a0476167e9dbb2fc1eba521c8f5d08457dd3e09cae51cee
                                                                • Instruction ID: 057f90d7c552a0f8ad0f72c6387b03f0165e05b3519a4a4c72fecc615edb0ad2
                                                                • Opcode Fuzzy Hash: a96e38a28e8ec7dd7a0476167e9dbb2fc1eba521c8f5d08457dd3e09cae51cee
                                                                • Instruction Fuzzy Hash: 8C2167B2504200EFDF01CFD4D9C0B2ABBA5FB88324F64C5A9E9454B646C336D816CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595511905.00000000010AD000.00000040.00000001.sdmp, Offset: 010AD000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 938462970603fdefaba4005b2015aae838925e305ffc78fb4358cfc3ab6293f5
                                                                • Instruction ID: f3035750e76b01ae26ed2fc5436142f1a4fa46af3525f99d66858f0bc09be4a9
                                                                • Opcode Fuzzy Hash: 938462970603fdefaba4005b2015aae838925e305ffc78fb4358cfc3ab6293f5
                                                                • Instruction Fuzzy Hash: 67213671504200EFDB11DF94D8C0B67BFA5FB88328F64C5A8E9854B606C736E806C7A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595866430.00000000011CD000.00000040.00000001.sdmp, Offset: 011CD000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 66adfbf4f8de5d2def6a0689c8d7ba863f4751d02e596802f381cfb81d6e1222
                                                                • Instruction ID: d91f8685acd8c978dbd25d432409ab5aba640408f03c060f6823be042203a972
                                                                • Opcode Fuzzy Hash: 66adfbf4f8de5d2def6a0689c8d7ba863f4751d02e596802f381cfb81d6e1222
                                                                • Instruction Fuzzy Hash: F1210371504240EFDF19DF58E8C0B16BB65FB84A54F24C5BDE9094B246C736D817CBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595866430.00000000011CD000.00000040.00000001.sdmp, Offset: 011CD000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 643ec7a94b1563898e689d9d4c295a353f5895462ff9213fb1ac0598fc581bf8
                                                                • Instruction ID: b85028c134d33060884a708bffd43cfb089766361e19ff88a3fc43134ef39766
                                                                • Opcode Fuzzy Hash: 643ec7a94b1563898e689d9d4c295a353f5895462ff9213fb1ac0598fc581bf8
                                                                • Instruction Fuzzy Hash: 3B2192754083809FCB07CF18D994B15BF71EB46614F28C5EAD8458B697C33AD85ACBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595511905.00000000010AD000.00000040.00000001.sdmp, Offset: 010AD000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8585ed6571451648ff55b8ef9345983e783a96382152bcc83d682c1c6a8f2738
                                                                • Instruction ID: 5ddda23f752efe88c74df86881ef658b9d1cff6c3e5ccc8396afa2a175e37f01
                                                                • Opcode Fuzzy Hash: 8585ed6571451648ff55b8ef9345983e783a96382152bcc83d682c1c6a8f2738
                                                                • Instruction Fuzzy Hash: CA21AF76404280DFCB06CF54D9C4B5ABFB2FB88314F28C2E9D8444B656C33AD45ACBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.595511905.00000000010AD000.00000040.00000001.sdmp, Offset: 010AD000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 51ec13b725027092ed1aa9eddd4cc34221202fdb6ccf77713265fee64c56290e
                                                                • Instruction ID: a25aa346e832d3f1cf33e8379fd7bda16b12c183f12130ad09035d88b7c64ec7
                                                                • Opcode Fuzzy Hash: 51ec13b725027092ed1aa9eddd4cc34221202fdb6ccf77713265fee64c56290e
                                                                • Instruction Fuzzy Hash: 3D11B176404280CFDB12CF54D5C4B56BFB1FB84324F2486A9D8850B657C336D45ACBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions