Loading ...

Play interactive tourEdit tour

Analysis Report Payment Advice Note from 02.04.2021 to 608761.exe

Overview

General Information

Sample Name:Payment Advice Note from 02.04.2021 to 608761.exe
Analysis ID:385340
MD5:65e28f2d01fc1d21e9d6632b85ce197c
SHA1:80314bd15640f1fa2219d984f8dfbf57e31c2305
SHA256:12b9e3e3878aed00a346cfbe1cbcfe58d52af8a7b27a0420ef91d3b8395ffb19
Tags:AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "jackie@ascobahkk.comxXlyWel0smtp.ascobahkk.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.221029733.00000000043B3000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.476337979.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Payment Advice Note from 02.04.2021 to 608761.exe.4455738.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.Payment Advice Note from 02.04.2021 to 608761.exe.4455738.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 1.2.Payment Advice Note from 02.04.2021 to 608761.exe.4455738.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "jackie@ascobahkk.comxXlyWel0smtp.ascobahkk.com"}
                  Machine Learning detection for sampleShow sources
                  Source: Payment Advice Note from 02.04.2021 to 608761.exeJoe Sandbox ML: detected
                  Source: 2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: Payment Advice Note from 02.04.2021 to 608761.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: Payment Advice Note from 02.04.2021 to 608761.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0BDCC6D8

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49737 -> 208.91.199.223:587
                  Source: global trafficTCP traffic: 192.168.2.3:49737 -> 208.91.199.223:587
                  Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                  Source: global trafficTCP traffic: 192.168.2.3:49737 -> 208.91.199.223:587
                  Source: unknownDNS traffic detected: queries for: smtp.ascobahkk.com
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp, Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.483013632.0000000003085000.00000004.00000001.sdmp, Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000003.431612776.0000000000FB4000.00000004.00000001.sdmpString found in binary or memory: http://TpBEZpmhMLGhKCamPG.org
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220578954.0000000003310000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.482832070.0000000003079000.00000004.00000001.sdmpString found in binary or memory: http://smtp.ascobahkk.com
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmpString found in binary or memory: http://tzGfKE.com
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.482832070.0000000003079000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.221029733.00000000043B3000.00000004.00000001.sdmp, Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.476337979.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Installs a global keyboard hookShow sources
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeJump to behavior
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220356084.00000000017CB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bAFD082BBu002d4CDFu002d4607u002d9597u002d398070181BBEu007d/u00326701077u002dE73Du002d4C41u002d8F9Au002d8BC4114C6284.csLarge array initialization: .cctor: array initializer size 11931
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC3C50 NtQueryInformationProcess,1_2_0BDC3C50
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC3C49 NtQueryInformationProcess,1_2_0BDC3C49
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC3F181_2_0BDC3F18
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDCBE781_2_0BDCBE78
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC29001_2_0BDC2900
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC2BC01_2_0BDC2BC0
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC5F171_2_0BDC5F17
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC3F081_2_0BDC3F08
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC5F281_2_0BDC5F28
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC9AE81_2_0BDC9AE8
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC9A861_2_0BDC9A86
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC9AB81_2_0BDC9AB8
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC94C01_2_0BDC94C0
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC28F01_2_0BDC28F0
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC98971_2_0BDC9897
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC00401_2_0BDC0040
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC00071_2_0BDC0007
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC58301_2_0BDC5830
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC58201_2_0BDC5820
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_00FC8D251_2_00FC8D25
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_00FC62611_2_00FC6261
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_00BC04482_2_00BC0448
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_00BCEA302_2_00BCEA30
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_00BC5A312_2_00BC5A31
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_00BC4E282_2_00BC4E28
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_00BCABE02_2_00BCABE0
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_00BC23602_2_00BC2360
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_00BCBCD82_2_00BCBCD8
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_00BC04382_2_00BC0438
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_00BC3F082_2_00BC3F08
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011D68582_2_011D6858
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011D5AF82_2_011D5AF8
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011DB5112_2_011DB511
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011DD8402_2_011DD840
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011DB4672_2_011DB467
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011DC0982_2_011DC098
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011DB4AF2_2_011DB4AF
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011DB0E02_2_011DB0E0
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011DB7BE2_2_011DB7BE
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011E476C2_2_011E476C
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011EE3602_2_011EE360
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011E82F02_2_011E82F0
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011E39F82_2_011E39F8
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011E03182_2_011E0318
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_011E82EB2_2_011E82EB
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_012D46A02_2_012D46A0
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_012D3D502_2_012D3D50
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_012D46732_2_012D4673
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_012D46902_2_012D4690
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_009F98182_2_009F9818
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.221029733.00000000043B3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameoKQWTCJBfBrkKhkxWyGnH.exe4 vs Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.221029733.00000000043B3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220356084.00000000017CB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220613531.0000000003357000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.219947553.000000000107B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReturnMessage.exeL vs Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000000.217926360.0000000000AAB000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReturnMessage.exeL vs Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480124208.0000000001270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480048660.00000000011F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.476337979.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameoKQWTCJBfBrkKhkxWyGnH.exe4 vs Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480139451.0000000001280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.477469018.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: Payment Advice Note from 02.04.2021 to 608761.exeBinary or memory string: OriginalFilenameReturnMessage.exeL vs Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: Payment Advice Note from 02.04.2021 to 608761.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: Payment Advice Note from 02.04.2021 to 608761.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Advice Note from 02.04.2021 to 608761.exe.logJump to behavior
                  Source: Payment Advice Note from 02.04.2021 to 608761.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: unknownProcess created: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe 'C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe'
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess created: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess created: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Payment Advice Note from 02.04.2021 to 608761.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Payment Advice Note from 02.04.2021 to 608761.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC65E8 push esp; retf 1_2_0BDC65E9
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_0BDC656B push cs; retf 1_2_0BDC6573
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 1_2_00FC6261 push es; retf 1_2_00FC6BE3
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.60186559741
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeFile created: \payment advice note from 02.04.2021 to 608761.exe
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeFile created: \payment advice note from 02.04.2021 to 608761.exeJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Advice Note from 02.04.2021 to 608761.exe PID: 6088, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeWindow / User API: threadDelayed 2031Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeWindow / User API: threadDelayed 7835Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe TID: 6072Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe TID: 6136Thread sleep time: -102829s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe TID: 1528Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe TID: 4180Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe TID: 5840Thread sleep count: 2031 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe TID: 5840Thread sleep count: 7835 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeThread delayed: delay time: 102829Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000003.211851985.0000000001846000.00000004.00000001.sdmp, Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.479927391.0000000001195000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeCode function: 2_2_00BC2360 LdrInitializeThunk,2_2_00BC2360
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeMemory written: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeProcess created: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeJump to behavior
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480370384.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480370384.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480370384.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480370384.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000001.00000002.221029733.00000000043B3000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.476337979.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Advice Note from 02.04.2021 to 608761.exe PID: 6088, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Advice Note from 02.04.2021 to 608761.exe PID: 1064, type: MEMORY
                  Source: Yara matchFile source: 1.2.Payment Advice Note from 02.04.2021 to 608761.exe.4455738.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Payment Advice Note from 02.04.2021 to 608761.exe.4455738.3.raw.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Advice Note from 02.04.2021 to 608761.exe PID: 1064, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000001.00000002.221029733.00000000043B3000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.476337979.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Advice Note from 02.04.2021 to 608761.exe PID: 6088, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Advice Note from 02.04.2021 to 608761.exe PID: 1064, type: MEMORY
                  Source: Yara matchFile source: 1.2.Payment Advice Note from 02.04.2021 to 608761.exe.4455738.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Payment Advice Note from 02.04.2021 to 608761.exe.4455738.3.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Input Capture111Security Software Discovery211Remote Desktop ProtocolInput Capture111Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Credentials in Registry1Process Discovery2SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Payment Advice Note from 02.04.2021 to 608761.exe12%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  Payment Advice Note from 02.04.2021 to 608761.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://smtp.ascobahkk.com0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://TpBEZpmhMLGhKCamPG.org0%Avira URL Cloudsafe
                  http://tzGfKE.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  us2.smtp.mailhostbox.com
                  208.91.199.223
                  truefalse
                    high
                    smtp.ascobahkk.com
                    unknown
                    unknowntrue
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://DynDns.comDynDNSPayment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://smtp.ascobahkk.comPayment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.482832070.0000000003079000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://us2.smtp.mailhostbox.comPayment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.482832070.0000000003079000.00000004.00000001.sdmpfalse
                        high
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPayment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePayment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220578954.0000000003310000.00000004.00000001.sdmpfalse
                          high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPayment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.221029733.00000000043B3000.00000004.00000001.sdmp, Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.476337979.0000000000402000.00000040.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssPayment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmpfalse
                            high
                            http://TpBEZpmhMLGhKCamPG.orgPayment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp, Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.483013632.0000000003085000.00000004.00000001.sdmp, Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000003.431612776.0000000000FB4000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://tzGfKE.comPayment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            208.91.199.223
                            us2.smtp.mailhostbox.comUnited States
                            394695PUBLIC-DOMAIN-REGISTRYUSfalse

                            General Information

                            Joe Sandbox Version:31.0.0 Emerald
                            Analysis ID:385340
                            Start date:12.04.2021
                            Start time:10:56:16
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 7m 39s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:Payment Advice Note from 02.04.2021 to 608761.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:25
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 1% (good quality ratio 0.8%)
                            • Quality average: 45.7%
                            • Quality standard deviation: 30.2%
                            HCA Information:
                            • Successful, ratio: 98%
                            • Number of executed functions: 101
                            • Number of non-executed functions: 12
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 92.122.145.220, 52.147.198.201, 52.255.188.83, 104.42.151.234, 20.82.210.154, 23.57.80.111, 13.88.21.125, 92.122.213.247, 92.122.213.194, 8.248.117.254, 8.248.131.254, 67.26.137.254, 67.26.139.254, 67.27.158.254, 20.54.26.129, 40.88.32.150, 168.61.161.212
                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            10:57:09API Interceptor816x Sleep call for process: Payment Advice Note from 02.04.2021 to 608761.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            208.91.199.223FN vw Safety 1 & 2.exeGet hashmaliciousBrowse
                              purchase order.exeGet hashmaliciousBrowse
                                AD1-2001028L.exeGet hashmaliciousBrowse
                                  AD1-2001028L (2).exeGet hashmaliciousBrowse
                                    Swift Copy#947026.exeGet hashmaliciousBrowse
                                      Order Enquiry 200234.exeGet hashmaliciousBrowse
                                        New Order Quotation.exeGet hashmaliciousBrowse
                                          Image0001.exeGet hashmaliciousBrowse
                                            Invoice.exeGet hashmaliciousBrowse
                                              April New Order.exeGet hashmaliciousBrowse
                                                Inv-254345.exeGet hashmaliciousBrowse
                                                  TT COPY.exeGet hashmaliciousBrowse
                                                    $$$.exeGet hashmaliciousBrowse
                                                      FF&E Items.exeGet hashmaliciousBrowse
                                                        Order_AH874.exeGet hashmaliciousBrowse
                                                          Purchase Order #07916813.exeGet hashmaliciousBrowse
                                                            AWB # 2205280630.jpg.exeGet hashmaliciousBrowse
                                                              Purchase Order 03-25-2021.exeGet hashmaliciousBrowse
                                                                Quotation 400026.exeGet hashmaliciousBrowse
                                                                  378753687654345678345602.exeGet hashmaliciousBrowse

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    us2.smtp.mailhostbox.come0xd7qhFaMk3Dpx.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    PAGO FACTURA V-8680.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    usd 420232.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.225
                                                                    P037725600.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.225
                                                                    VAT INVOICE.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    VAT INVOICE.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.225
                                                                    NEW ORDER.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    TRANSFERENCIA AL EXTERIOR U810295.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    PAYMENT SWIFT COPY MT103.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    UPDATED SOA.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    BANK PAYMENT.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    VAT INVOICE.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    IMG_00000000001.PDF.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    New Order PO#121012020_____PDF_______.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    swift Copy.xls.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.225
                                                                    FN vw Safety 1 & 2.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.223
                                                                    MV TBN.uslfze.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    purchase order.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.223
                                                                    AD1-2001028L.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.225
                                                                    AD1-2001028L (2).exeGet hashmaliciousBrowse
                                                                    • 208.91.199.223

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    PUBLIC-DOMAIN-REGISTRYUSDubai REGA 2021UAE.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.135
                                                                    e0xd7qhFaMk3Dpx.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    Dridex.xlsGet hashmaliciousBrowse
                                                                    • 208.91.199.159
                                                                    documents-351331057.xlsmGet hashmaliciousBrowse
                                                                    • 162.251.80.27
                                                                    documents-351331057.xlsmGet hashmaliciousBrowse
                                                                    • 162.251.80.27
                                                                    DUBAI UAEGH092021.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.135
                                                                    PAGO FACTURA V-8680.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    documents-1819557117.xlsmGet hashmaliciousBrowse
                                                                    • 162.251.80.27
                                                                    documents-1819557117.xlsmGet hashmaliciousBrowse
                                                                    • 162.251.80.27
                                                                    usd 420232.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.225
                                                                    P037725600.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.225
                                                                    VAT INVOICE.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    VAT INVOICE.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    NEW ORDER.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    TRANSFERENCIA AL EXTERIOR U810295.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    PAYMENT SWIFT COPY MT103.exeGet hashmaliciousBrowse
                                                                    • 208.91.198.143
                                                                    UPDATED SOA.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    BANK PAYMENT.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224
                                                                    document-1245492889.xlsGet hashmaliciousBrowse
                                                                    • 5.100.155.169
                                                                    VAT INVOICE.exeGet hashmaliciousBrowse
                                                                    • 208.91.199.224

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Advice Note from 02.04.2021 to 608761.exe.log
                                                                    Process:C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1314
                                                                    Entropy (8bit):5.350128552078965
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                    Malicious:true
                                                                    Reputation:high, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.4508402175934
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    File name:Payment Advice Note from 02.04.2021 to 608761.exe
                                                                    File size:765440
                                                                    MD5:65e28f2d01fc1d21e9d6632b85ce197c
                                                                    SHA1:80314bd15640f1fa2219d984f8dfbf57e31c2305
                                                                    SHA256:12b9e3e3878aed00a346cfbe1cbcfe58d52af8a7b27a0420ef91d3b8395ffb19
                                                                    SHA512:6e4db02d9a4af0e3e118f7ef9e758a698870c5023632e9f84fab7fda85db4e3b782e60fd29aed0cd7c447b9dc08f1f7169562127b3b10bbd7de6431a5b60ba00
                                                                    SSDEEP:12288:SBt33BHKdWi+br+5uX1VOtRObIyhi54hrevdmBIg11:SLnls+v+6VOtR0PiqSYBIg11
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....zf`..............P.............F.... ... ....@.. ....................................@................................

                                                                    File Icon

                                                                    Icon Hash:09e4a4decec63680

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4b1f46
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0x60667A9F [Fri Apr 2 01:59:59 2021 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:v4.0.30319
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb1ef40x4f.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000xa8b4.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xbe0000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xaff4c0xb0000False0.732181895863data7.60186559741IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xb20000xa8b40xaa00False0.302205882353data3.60229082529IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0xbe0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_ICON0xb21000x94a8data
                                                                    RT_GROUP_ICON0xbb5b80x14data
                                                                    RT_VERSION0xbb5dc0x378data
                                                                    RT_MANIFEST0xbb9640xf4cXML 1.0 document, UTF-8 Unicode (with BOM) text

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    LegalCopyright(c) Ubisoft
                                                                    Assembly Version4.1.0.2
                                                                    InternalNameReturnMessage.exe
                                                                    FileVersion4.1.0.2
                                                                    CompanyNameUbisoft
                                                                    LegalTrademarksUbisoft Connect
                                                                    Comments
                                                                    ProductNameUbisoft Game Launcher
                                                                    ProductVersion4.1.0.2
                                                                    FileDescriptionUbisoft Game Launcher
                                                                    OriginalFilenameReturnMessage.exe

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    04/12/21-10:58:56.977144TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49737587192.168.2.3208.91.199.223

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Apr 12, 2021 10:58:55.112742901 CEST49737587192.168.2.3208.91.199.223
                                                                    Apr 12, 2021 10:58:55.284945011 CEST58749737208.91.199.223192.168.2.3
                                                                    Apr 12, 2021 10:58:55.285125017 CEST49737587192.168.2.3208.91.199.223
                                                                    Apr 12, 2021 10:58:55.925510883 CEST58749737208.91.199.223192.168.2.3
                                                                    Apr 12, 2021 10:58:55.926039934 CEST49737587192.168.2.3208.91.199.223
                                                                    Apr 12, 2021 10:58:56.091690063 CEST58749737208.91.199.223192.168.2.3
                                                                    Apr 12, 2021 10:58:56.091717958 CEST58749737208.91.199.223192.168.2.3
                                                                    Apr 12, 2021 10:58:56.094475985 CEST49737587192.168.2.3208.91.199.223
                                                                    Apr 12, 2021 10:58:56.263942957 CEST58749737208.91.199.223192.168.2.3
                                                                    Apr 12, 2021 10:58:56.264977932 CEST49737587192.168.2.3208.91.199.223
                                                                    Apr 12, 2021 10:58:56.433099031 CEST58749737208.91.199.223192.168.2.3
                                                                    Apr 12, 2021 10:58:56.434525013 CEST49737587192.168.2.3208.91.199.223
                                                                    Apr 12, 2021 10:58:56.600677013 CEST58749737208.91.199.223192.168.2.3
                                                                    Apr 12, 2021 10:58:56.601398945 CEST49737587192.168.2.3208.91.199.223
                                                                    Apr 12, 2021 10:58:56.801235914 CEST58749737208.91.199.223192.168.2.3
                                                                    Apr 12, 2021 10:58:56.801776886 CEST49737587192.168.2.3208.91.199.223
                                                                    Apr 12, 2021 10:58:56.970885038 CEST58749737208.91.199.223192.168.2.3
                                                                    Apr 12, 2021 10:58:56.977144003 CEST49737587192.168.2.3208.91.199.223
                                                                    Apr 12, 2021 10:58:56.977442980 CEST49737587192.168.2.3208.91.199.223
                                                                    Apr 12, 2021 10:58:56.977602959 CEST49737587192.168.2.3208.91.199.223
                                                                    Apr 12, 2021 10:58:56.977766037 CEST49737587192.168.2.3208.91.199.223
                                                                    Apr 12, 2021 10:58:57.142786026 CEST58749737208.91.199.223192.168.2.3
                                                                    Apr 12, 2021 10:58:57.143593073 CEST58749737208.91.199.223192.168.2.3
                                                                    Apr 12, 2021 10:58:57.238548994 CEST58749737208.91.199.223192.168.2.3
                                                                    Apr 12, 2021 10:58:57.278672934 CEST49737587192.168.2.3208.91.199.223

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Apr 12, 2021 10:56:59.183449030 CEST53512818.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:12.003546000 CEST4919953192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:12.052460909 CEST53491998.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:14.965512991 CEST5062053192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:15.014177084 CEST53506208.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:15.853039980 CEST6493853192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:15.904565096 CEST53649388.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:29.757240057 CEST6015253192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:29.814264059 CEST53601528.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:30.551348925 CEST5754453192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:30.609112024 CEST53575448.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:31.991564989 CEST5598453192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:32.049195051 CEST53559848.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:33.064308882 CEST6418553192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:33.116137981 CEST53641858.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:33.814610004 CEST6511053192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:33.863590002 CEST53651108.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:34.206150055 CEST5836153192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:34.254992962 CEST53583618.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:34.502823114 CEST6349253192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:34.563544989 CEST53634928.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:35.324554920 CEST6083153192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:35.373497963 CEST53608318.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:36.496972084 CEST6010053192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:36.556931973 CEST53601008.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:50.276333094 CEST5319553192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:50.334959984 CEST53531958.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:54.640559912 CEST5014153192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:54.692504883 CEST53501418.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:55.349205971 CEST5302353192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:55.398257971 CEST53530238.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:56.450181961 CEST4956353192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:56.501727104 CEST53495638.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:57.204210043 CEST5135253192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:57.274502039 CEST53513528.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:57:57.569654942 CEST5934953192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:57:57.618537903 CEST53593498.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:58:10.774117947 CEST5708453192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:58:10.823090076 CEST53570848.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:58:15.225090027 CEST5882353192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:58:15.284106016 CEST53588238.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:58:30.278692007 CEST5756853192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:58:30.327559948 CEST53575688.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:58:31.477926970 CEST5054053192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:58:31.535423994 CEST53505408.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:58:32.375191927 CEST5436653192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:58:32.423952103 CEST53543668.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:58:46.279635906 CEST5303453192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:58:46.331204891 CEST53530348.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:58:47.853208065 CEST5776253192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:58:47.921875954 CEST53577628.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:58:54.468168020 CEST5543553192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:58:54.668865919 CEST53554358.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:58:54.692765951 CEST5071353192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:58:54.969451904 CEST53507138.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:59:02.283458948 CEST5613253192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:59:02.344305038 CEST53561328.8.8.8192.168.2.3
                                                                    Apr 12, 2021 10:59:03.315958023 CEST5898753192.168.2.38.8.8.8
                                                                    Apr 12, 2021 10:59:03.365974903 CEST53589878.8.8.8192.168.2.3

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Apr 12, 2021 10:58:54.468168020 CEST192.168.2.38.8.8.80xda06Standard query (0)smtp.ascobahkk.comA (IP address)IN (0x0001)
                                                                    Apr 12, 2021 10:58:54.692765951 CEST192.168.2.38.8.8.80x1bc5Standard query (0)smtp.ascobahkk.comA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Apr 12, 2021 10:58:54.668865919 CEST8.8.8.8192.168.2.30xda06No error (0)smtp.ascobahkk.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                    Apr 12, 2021 10:58:54.668865919 CEST8.8.8.8192.168.2.30xda06No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                    Apr 12, 2021 10:58:54.668865919 CEST8.8.8.8192.168.2.30xda06No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                    Apr 12, 2021 10:58:54.668865919 CEST8.8.8.8192.168.2.30xda06No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                    Apr 12, 2021 10:58:54.668865919 CEST8.8.8.8192.168.2.30xda06No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                    Apr 12, 2021 10:58:54.969451904 CEST8.8.8.8192.168.2.30x1bc5No error (0)smtp.ascobahkk.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                    Apr 12, 2021 10:58:54.969451904 CEST8.8.8.8192.168.2.30x1bc5No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                    Apr 12, 2021 10:58:54.969451904 CEST8.8.8.8192.168.2.30x1bc5No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                    Apr 12, 2021 10:58:54.969451904 CEST8.8.8.8192.168.2.30x1bc5No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                    Apr 12, 2021 10:58:54.969451904 CEST8.8.8.8192.168.2.30x1bc5No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)

                                                                    SMTP Packets

                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                    Apr 12, 2021 10:58:55.925510883 CEST58749737208.91.199.223192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                    Apr 12, 2021 10:58:55.926039934 CEST49737587192.168.2.3208.91.199.223EHLO 258555
                                                                    Apr 12, 2021 10:58:56.091717958 CEST58749737208.91.199.223192.168.2.3250-us2.outbound.mailhostbox.com
                                                                    250-PIPELINING
                                                                    250-SIZE 41648128
                                                                    250-VRFY
                                                                    250-ETRN
                                                                    250-STARTTLS
                                                                    250-AUTH PLAIN LOGIN
                                                                    250-AUTH=PLAIN LOGIN
                                                                    250-ENHANCEDSTATUSCODES
                                                                    250-8BITMIME
                                                                    250 DSN
                                                                    Apr 12, 2021 10:58:56.094475985 CEST49737587192.168.2.3208.91.199.223AUTH login amFja2llQGFzY29iYWhray5jb20=
                                                                    Apr 12, 2021 10:58:56.263942957 CEST58749737208.91.199.223192.168.2.3334 UGFzc3dvcmQ6
                                                                    Apr 12, 2021 10:58:56.433099031 CEST58749737208.91.199.223192.168.2.3235 2.7.0 Authentication successful
                                                                    Apr 12, 2021 10:58:56.434525013 CEST49737587192.168.2.3208.91.199.223MAIL FROM:<jackie@ascobahkk.com>
                                                                    Apr 12, 2021 10:58:56.600677013 CEST58749737208.91.199.223192.168.2.3250 2.1.0 Ok
                                                                    Apr 12, 2021 10:58:56.601398945 CEST49737587192.168.2.3208.91.199.223RCPT TO:<jackie@ascobahkk.com>
                                                                    Apr 12, 2021 10:58:56.801235914 CEST58749737208.91.199.223192.168.2.3250 2.1.5 Ok
                                                                    Apr 12, 2021 10:58:56.801776886 CEST49737587192.168.2.3208.91.199.223DATA
                                                                    Apr 12, 2021 10:58:56.970885038 CEST58749737208.91.199.223192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                                    Apr 12, 2021 10:58:56.977766037 CEST49737587192.168.2.3208.91.199.223.
                                                                    Apr 12, 2021 10:58:57.238548994 CEST58749737208.91.199.223192.168.2.3250 2.0.0 Ok: queued as B3289D7823

                                                                    Code Manipulations

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Start time:10:57:07
                                                                    Start date:12/04/2021
                                                                    Path:C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe'
                                                                    Imagebase:0xfc0000
                                                                    File size:765440 bytes
                                                                    MD5 hash:65E28F2D01FC1D21E9D6632B85CE197C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.221029733.00000000043B3000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    General

                                                                    Start time:10:57:10
                                                                    Start date:12/04/2021
                                                                    Path:C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe
                                                                    Imagebase:0x9f0000
                                                                    File size:765440 bytes
                                                                    MD5 hash:65E28F2D01FC1D21E9D6632B85CE197C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.476337979.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >

                                                                      Executed Functions

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 6Ge$6Ge$9|DB$9|DB$9|DB$?Hh
                                                                      • API String ID: 0-2080541871
                                                                      • Opcode ID: 19ad1c8a45985dc280b1d091befe2658a7883a5da9a54bf861244aa19ebd4d65
                                                                      • Instruction ID: 3160e873c340fc3ea181a08e50c6d8cee9c3646fc73f326ca9c16742fd9f11b1
                                                                      • Opcode Fuzzy Hash: 19ad1c8a45985dc280b1d091befe2658a7883a5da9a54bf861244aa19ebd4d65
                                                                      • Instruction Fuzzy Hash: 0871D274E10209DFCB04DFE5D9496AEFBB2FB88311F20846AE41AAB744DB349A41CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 9|DB$9|DB$9|DB$?Hh
                                                                      • API String ID: 0-797612247
                                                                      • Opcode ID: 9f7b24c81440b6cd764fdd12ffe585d30f313f41ea926416fc52a80e6a38ff4f
                                                                      • Instruction ID: 91837817b584bdcf63f8bfec7341c45608eecea0ba736d8595d5e209576635c9
                                                                      • Opcode Fuzzy Hash: 9f7b24c81440b6cd764fdd12ffe585d30f313f41ea926416fc52a80e6a38ff4f
                                                                      • Instruction Fuzzy Hash: 1771E374E11209DFCB14CFE5D9856AEFBB2FB88311F10846AE41AABB44DB349A41CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: KKe$j0_c${A
                                                                      • API String ID: 0-3848053977
                                                                      • Opcode ID: 8133c8c79da5e792de7d9af1e5493d4586b6f0d2c29fcf6b7fc3d7dd91789def
                                                                      • Instruction ID: 0502a17f6457a9bb011eb11bd2db07463d98e97c2ca061c9166b7016a26be9aa
                                                                      • Opcode Fuzzy Hash: 8133c8c79da5e792de7d9af1e5493d4586b6f0d2c29fcf6b7fc3d7dd91789def
                                                                      • Instruction Fuzzy Hash: 75B122B4E1520ACFCB09CFA9D5908AEFBF2EB89310F20902AD515A7354D7359A01CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: xl$9m;$9m;
                                                                      • API String ID: 0-243806230
                                                                      • Opcode ID: e302d94dd4e532ed789fe878ac1a2edc1fc4da89d22b21bbe11a07089d23696c
                                                                      • Instruction ID: 2ddf80300b2bd5d4c6ca4a076eace1d35b7989bd09bd50e9129a63db9fdd38d3
                                                                      • Opcode Fuzzy Hash: e302d94dd4e532ed789fe878ac1a2edc1fc4da89d22b21bbe11a07089d23696c
                                                                      • Instruction Fuzzy Hash: 05C14470E11219CFCB14CFA4D99969EFBB2FB89720F109469E01ABB354DB349941CF28
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $%l
                                                                      • API String ID: 0-1907315506
                                                                      • Opcode ID: 193d8b453cf28b0942b3c1eeacea012fc7cc5961423f2a8d5a69b19f1892ef96
                                                                      • Instruction ID: fb9e5e57385ccf7702588fdb436a4ff0708a68723f65f99f1bf3a2504fe958be
                                                                      • Opcode Fuzzy Hash: 193d8b453cf28b0942b3c1eeacea012fc7cc5961423f2a8d5a69b19f1892ef96
                                                                      • Instruction Fuzzy Hash: D6329A70B112068FDB15DBA9C554BAFB7F6EF89210F24406DE60A9B391CB31ED05CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 0BDC3CCF
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationProcessQuery
                                                                      • String ID:
                                                                      • API String ID: 1778838933-0
                                                                      • Opcode ID: a090709c3af2637b980d81895e7729571504f9fdb2368c40ccc828b9c630f73e
                                                                      • Instruction ID: 9607189707a4f52d294a06933ef39d29b034d0ec7d9f62aabd3b75edb6cdd5ce
                                                                      • Opcode Fuzzy Hash: a090709c3af2637b980d81895e7729571504f9fdb2368c40ccc828b9c630f73e
                                                                      • Instruction Fuzzy Hash: 2A21EFB5900649DFCB10CFAAD984ACEFBF4FB48320F10842AE918A7250D775A554CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 0BDC3CCF
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InformationProcessQuery
                                                                      • String ID:
                                                                      • API String ID: 1778838933-0
                                                                      • Opcode ID: 7c64c4f45a60a1b214dd3063dbe274e7ca4b11dbe1e5b61ad3da64afa03c5b84
                                                                      • Instruction ID: 09681516f3095ae80dcc0e086daa1fda6ad48d092d8f2d0c76124744a24bf6b6
                                                                      • Opcode Fuzzy Hash: 7c64c4f45a60a1b214dd3063dbe274e7ca4b11dbe1e5b61ad3da64afa03c5b84
                                                                      • Instruction Fuzzy Hash: 9921CFB5900649DFCB10CF9AD984ADEFBF4FB48320F10842AE928A7350D775A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: xl
                                                                      • API String ID: 0-3116759922
                                                                      • Opcode ID: dc34992681f0a05ce97f322b241ee4f6a6bdd92f71ecc2ba06e983bc847efb2f
                                                                      • Instruction ID: 1079b2b34d90e1c32d037a96374f4d2fdd148da190de3a01270db7a156c37c71
                                                                      • Opcode Fuzzy Hash: dc34992681f0a05ce97f322b241ee4f6a6bdd92f71ecc2ba06e983bc847efb2f
                                                                      • Instruction Fuzzy Hash: DAB15670E11219CFCB14CFA4D89969EFBB2FB89724F10946AE01AB7354DB349941CF28
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0BDC8386
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: e85505d068002bf0fc1ccfb688d898b2c64d411fd13cab1a11558f9a85d66aae
                                                                      • Instruction ID: 58df629d81a3b9604b490856706f9467fe00bac9ce6d94e988d8b8412ca998e3
                                                                      • Opcode Fuzzy Hash: e85505d068002bf0fc1ccfb688d898b2c64d411fd13cab1a11558f9a85d66aae
                                                                      • Instruction Fuzzy Hash: 11A18D71D0461A8FDB10CFA8C884BEEFBB2BF48314F14856DD809A7280DB759985DF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0BDC8386
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: d595aa0c653ee73deab711b9e00993f7b3435d08b6762619ed183ed2366f4907
                                                                      • Instruction ID: e0806d0d517a78a3c5d328e256d166ef1ff8e0b92940ab0ba419da1eb1a08f44
                                                                      • Opcode Fuzzy Hash: d595aa0c653ee73deab711b9e00993f7b3435d08b6762619ed183ed2366f4907
                                                                      • Instruction Fuzzy Hash: B1918B71D0461ACFDB14CFA8C884BEEFBB2BF48314F148569E809A7280DB759985DF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0BDC7B58
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 83ad3ad2a6724e32ffbc00896f463931cdd12e54ba03a8b0afcee658c54a67ea
                                                                      • Instruction ID: 4b2e9112598bf739b3d675577369c25db926f5fd43b380c2c626089491b88e80
                                                                      • Opcode Fuzzy Hash: 83ad3ad2a6724e32ffbc00896f463931cdd12e54ba03a8b0afcee658c54a67ea
                                                                      • Instruction Fuzzy Hash: 512126719002499FCB10DFA9C984BDEBBF5FB48314F108829E919A7240DB78A954CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0BDC7B58
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 5eb78d44f1171950742efe90165465fc1ff09ad89b079a6bb9ad25cd766d62c4
                                                                      • Instruction ID: d842e2af09bcc968599f5060cfb0f24f635669711da3e6239263aa1e26905717
                                                                      • Opcode Fuzzy Hash: 5eb78d44f1171950742efe90165465fc1ff09ad89b079a6bb9ad25cd766d62c4
                                                                      • Instruction Fuzzy Hash: AB2126719003499FCB10DFA9C984BDEBBF5FF48324F108829E919A7240DB78A944CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0BDC7C38
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 6eb6a29c8727898ec66964ceb7e24176d4b90e318376143f758bc49007f17511
                                                                      • Instruction ID: 97f0e45f06633c932aeff7353c2d8be99c0f156959fa0ce10be214cc76a5f314
                                                                      • Opcode Fuzzy Hash: 6eb6a29c8727898ec66964ceb7e24176d4b90e318376143f758bc49007f17511
                                                                      • Instruction Fuzzy Hash: FB2127719002499FCB10DFA9C9407DEFBB5FF48324F50842DE919A3250DB349905DFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 0BDC79AE
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ContextThread
                                                                      • String ID:
                                                                      • API String ID: 1591575202-0
                                                                      • Opcode ID: cb47a51dd8ba579cc5dcef90de58cb9d6fe081145203eeb1cea8a099633b660f
                                                                      • Instruction ID: dfd9993ce900a4366714c497c9cc44ec7b3de5090a81c64e2fe9f10576f82d50
                                                                      • Opcode Fuzzy Hash: cb47a51dd8ba579cc5dcef90de58cb9d6fe081145203eeb1cea8a099633b660f
                                                                      • Instruction Fuzzy Hash: BE2125719002099FDB10DFAAC9857EFFBF4AB88228F14842DD559A7241DB78A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0BDC7C38
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 7366cfce757435a2df9e34e9f87ee293fbb8b0dd6496d6e10c1cbddf2983404b
                                                                      • Instruction ID: 1f1964b656e30807feb5f32eee24ae96efa0adba2c357498508bf9015ee1d9f9
                                                                      • Opcode Fuzzy Hash: 7366cfce757435a2df9e34e9f87ee293fbb8b0dd6496d6e10c1cbddf2983404b
                                                                      • Instruction Fuzzy Hash: CF2116B19002499FCB10DFA9C9807EEFBB5FF48324F508829E519A7250DB389944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 0BDC79AE
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ContextThread
                                                                      • String ID:
                                                                      • API String ID: 1591575202-0
                                                                      • Opcode ID: 8db4e1247788512d217137613aff705ec32ef86c3f0e692228aab8a080dc4555
                                                                      • Instruction ID: 528412fb64cdc215f9fd5424b80b3d5d1adabf0b8d1f487340aab8e56365b552
                                                                      • Opcode Fuzzy Hash: 8db4e1247788512d217137613aff705ec32ef86c3f0e692228aab8a080dc4555
                                                                      • Instruction Fuzzy Hash: 192134719002098FDB10DFAAC5847EEFBF4AB88328F14842ED559A7240DB78A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0BDC286B
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: 31f71d66933980a55c6fde1d7ae72855595101439169549011ef385d14d5ae46
                                                                      • Instruction ID: 92554748738d7f5e7a380571bae91f692ff8391f5abd0d7c1bc6fb005e723ca6
                                                                      • Opcode Fuzzy Hash: 31f71d66933980a55c6fde1d7ae72855595101439169549011ef385d14d5ae46
                                                                      • Instruction Fuzzy Hash: CE2133B59006499FDB10CFAAC584BDEFBF4FF48320F108429E868A7251D778A645CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0BDC7A76
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: d863e51141cfebf60803472708955873d7c3d5e5bb3c2a1fddf33c9bd2b3d85f
                                                                      • Instruction ID: 15a896d32a7340b0dd30dd9f96e38ba87f532bb850f66f42f9a36f0ec9fa9dbe
                                                                      • Opcode Fuzzy Hash: d863e51141cfebf60803472708955873d7c3d5e5bb3c2a1fddf33c9bd2b3d85f
                                                                      • Instruction Fuzzy Hash: 8E1147718002499BCB14DFAAC944BDFFBF5EB88324F208819E529A7250DB35A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0BDC286B
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: 67b463d5853ad59c9ddbec24c8ddba0ab81831e3eb094863d879890d6aee101d
                                                                      • Instruction ID: e8df000c55fba4da014903b40f5b0eeae2f8c60e3f7eda32166771a916a509ba
                                                                      • Opcode Fuzzy Hash: 67b463d5853ad59c9ddbec24c8ddba0ab81831e3eb094863d879890d6aee101d
                                                                      • Instruction Fuzzy Hash: 9321D3B59006499FDB10DF9AC984BDEFBF4FB48320F108429E868A7250D778A645CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • OutputDebugStringW.KERNELBASE(00000000), ref: 0BDC5C58
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DebugOutputString
                                                                      • String ID:
                                                                      • API String ID: 1166629820-0
                                                                      • Opcode ID: 39f8691807b94ba0cc2c09738198b8a73d30702931b6a1709f2aafe3999c877c
                                                                      • Instruction ID: 532b8a167e74325417ad9aa239fbdb5374e9f5604880711e1808a96ca5e2d193
                                                                      • Opcode Fuzzy Hash: 39f8691807b94ba0cc2c09738198b8a73d30702931b6a1709f2aafe3999c877c
                                                                      • Instruction Fuzzy Hash: C01153B5C0061A9BCB14CF9AEA45BDEFBB4FB48324F14851AD818B3240DB34A600CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0BDC7A76
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 14f78aba4f8f9ea158b055aca0a40a5e1b9111bbc4f2107bca529412caab7c19
                                                                      • Instruction ID: bf7bd9e2f28bf189d586c201d926f9658528f982a4d04315cd68d2a0c3dd824c
                                                                      • Opcode Fuzzy Hash: 14f78aba4f8f9ea158b055aca0a40a5e1b9111bbc4f2107bca529412caab7c19
                                                                      • Instruction Fuzzy Hash: 28116471800209DFCB14DFAAC944BDFFBF5AF88324F208819E529A7250DB35A944CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 763ea49ba47f35731ce0e9e93197fd443ad26560df9522990a5b173846d92872
                                                                      • Instruction ID: 8a2c766d26dd30c9c10c28b40bc2517eccf61ec0c983717ff4a1c22d23bceb65
                                                                      • Opcode Fuzzy Hash: 763ea49ba47f35731ce0e9e93197fd443ad26560df9522990a5b173846d92872
                                                                      • Instruction Fuzzy Hash: 121149B5D002498BDB14DFA9C9447DFFBF5AF88324F24882DD529A7240DB34A944CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • OutputDebugStringW.KERNELBASE(00000000), ref: 0BDC5C58
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DebugOutputString
                                                                      • String ID:
                                                                      • API String ID: 1166629820-0
                                                                      • Opcode ID: 09ebe93f7fc3621ee81c4f209084ddfb627567d6eee5dbb4ba4c3e8c4931ea4f
                                                                      • Instruction ID: adb2719a18c0fb673c4bd0bdf3417ebbb55c31d301674159fcccf7dbf7128876
                                                                      • Opcode Fuzzy Hash: 09ebe93f7fc3621ee81c4f209084ddfb627567d6eee5dbb4ba4c3e8c4931ea4f
                                                                      • Instruction Fuzzy Hash: 8E1134B5C0061A9BCB14CF9ADA45BDEFBB4FB48324F10851AD818B3340DB34A644CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • FindCloseChangeNotification.KERNELBASE ref: 0BDC5E0F
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ChangeCloseFindNotification
                                                                      • String ID:
                                                                      • API String ID: 2591292051-0
                                                                      • Opcode ID: 83dc7c1459033de80d5cf59d76fa0893d5e48684a28ca1b0acc59b346e5a8b4b
                                                                      • Instruction ID: 0eeec37af9ea4950021ee70e3564ce1a1a23cd1075abfbac27a1d9f3bde2aac4
                                                                      • Opcode Fuzzy Hash: 83dc7c1459033de80d5cf59d76fa0893d5e48684a28ca1b0acc59b346e5a8b4b
                                                                      • Instruction Fuzzy Hash: AD1136B18006498FDB10CF99D9457DFFBF8EB48324F14845AD828A3241D778A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 2c440a987edb299618ff8c2a2a4b9e786f1aec4c0079baf270d1ae56f88ad7e8
                                                                      • Instruction ID: 0365bfd9bfeecc9c3ea44e02caa0f1547884d37562b17036f2b8ad31931ec818
                                                                      • Opcode Fuzzy Hash: 2c440a987edb299618ff8c2a2a4b9e786f1aec4c0079baf270d1ae56f88ad7e8
                                                                      • Instruction Fuzzy Hash: 5E112871D002498BDB14DFAAD5447DFFBF5AF88324F248829D529A7240DB74A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • FindCloseChangeNotification.KERNELBASE ref: 0BDC5E0F
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ChangeCloseFindNotification
                                                                      • String ID:
                                                                      • API String ID: 2591292051-0
                                                                      • Opcode ID: 15f6e4144b463d185a311b955b98e8ee24cb112cdca5a1f565b9792d60ad82ff
                                                                      • Instruction ID: a0ed1dc6859f2b016853ed8634024eac2a5c7459c437e4727d197585c7a82906
                                                                      • Opcode Fuzzy Hash: 15f6e4144b463d185a311b955b98e8ee24cb112cdca5a1f565b9792d60ad82ff
                                                                      • Instruction Fuzzy Hash: C21145B18006098FDB10CF9AD945BDFFBF8EB48324F20846AD428A3340D778A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0BDCB22D
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: b387db55ee1523789d35e9745b01efe04126a72ad7fe3ddb37346500e9ce82bf
                                                                      • Instruction ID: d9a6ffd10e8d03ec90661f8ba1ec1970e7a47fa60aee3e7a75ef8ec2cc2d2788
                                                                      • Opcode Fuzzy Hash: b387db55ee1523789d35e9745b01efe04126a72ad7fe3ddb37346500e9ce82bf
                                                                      • Instruction Fuzzy Hash: 3511F2B58002499FDB20DF99D589BDFFBF8EB48320F10885AE915A7640D774A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b6591cd6a4efdbcee849e99894d14e7c880982c913bc2b3aa02db7bd598c8180
                                                                      • Instruction ID: 09c28b2f4a36bee00aa1ca1c6ff55e23f9e6e2718af666e2de8b6811fb16f48c
                                                                      • Opcode Fuzzy Hash: b6591cd6a4efdbcee849e99894d14e7c880982c913bc2b3aa02db7bd598c8180
                                                                      • Instruction Fuzzy Hash: 26A11874E0521A8FCB04CFE9D54669EFBF2BF98324F14C529D418AB354EB34A9428B54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a929e2a3c4873992dec08fd93f89b7be362afbdf1e481fddfd9487570d5d25fd
                                                                      • Instruction ID: 84d69c05bf61d075d5e5a3722b157fab64b7f21ea37aea940e5ccf7040854af3
                                                                      • Opcode Fuzzy Hash: a929e2a3c4873992dec08fd93f89b7be362afbdf1e481fddfd9487570d5d25fd
                                                                      • Instruction Fuzzy Hash: 3EA13874E0521A8FCB04CFE9D54269EFBF2BF98324F24C56AC414AB355EB34A9428B54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2a302415d17491b0ceacb136f24f85a89d3896ca6df85a2e7c518d3f51cd5e51
                                                                      • Instruction ID: 477c3b73fda9949f7047bfd31cb3767dc85ab478eea5ca3ec552b92774c778f2
                                                                      • Opcode Fuzzy Hash: 2a302415d17491b0ceacb136f24f85a89d3896ca6df85a2e7c518d3f51cd5e51
                                                                      • Instruction Fuzzy Hash: 54712874E0520A9FCB08CFEAD5416EEFBF2AF88364F14D42AD814A7254D734EA418F95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b2844fefad4fb6fce1eceb7ca5cf10cea99b75c14f0a89daba3084bfec558463
                                                                      • Instruction ID: b0786c4a81f20daeff6f8f642ea00b1c37ae4e512e8f229590a49fa210af1bfb
                                                                      • Opcode Fuzzy Hash: b2844fefad4fb6fce1eceb7ca5cf10cea99b75c14f0a89daba3084bfec558463
                                                                      • Instruction Fuzzy Hash: D3613874E0520A9FCB08CFEAD5416AEFBF2BF88364F14D42AD814A7254D734DA418F94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 41bc54ec79d32eaf19eee94c1c973fc984e2686f32e3bdecf28b3e531b657a14
                                                                      • Instruction ID: 124f8f14c3816933b2b3075c3bf5ec44f2c512ef2d2d993a7fc5b7eb9ac47dc0
                                                                      • Opcode Fuzzy Hash: 41bc54ec79d32eaf19eee94c1c973fc984e2686f32e3bdecf28b3e531b657a14
                                                                      • Instruction Fuzzy Hash: 29612771D0466ACBDB68CF66C8407AAF7B7AFC9310F14D6AAC41DA7214EB304A858F44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b0e01d2337df9783210f2ecb89dab4c19fdde28c2a3ce3de6dfa5f4cab4097e4
                                                                      • Instruction ID: 1b3f98c0772a5539019aafa0dc16c6d02503ece7b85cafdf9ced42f40dfc5885
                                                                      • Opcode Fuzzy Hash: b0e01d2337df9783210f2ecb89dab4c19fdde28c2a3ce3de6dfa5f4cab4097e4
                                                                      • Instruction Fuzzy Hash: 1C519871E056588FDB59CF6B8C54689FBF3AFC9300F14C1EA844CAB265EB340A858F51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 64787d065d7c653b8e3a2fc3b9b84d718c2e7e95f613662d3b6a771ae7f618a3
                                                                      • Instruction ID: 88d0401c89f4a53b86504ede3ad29097261f137fa41e2c3887dc335a84737290
                                                                      • Opcode Fuzzy Hash: 64787d065d7c653b8e3a2fc3b9b84d718c2e7e95f613662d3b6a771ae7f618a3
                                                                      • Instruction Fuzzy Hash: E1512974D4066ACBCB64CF61C950BDEF7B2BB88310F0095EAC51AB7204EB709AC58F14
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2c29ccae28860a990cf61e88c673ed0bdd6a41c16c632c14d0ec60f4933cdbcf
                                                                      • Instruction ID: 3bf58c3529eb49232f383674e0d1a078f6029662b2f96f6c3b672b0e03952877
                                                                      • Opcode Fuzzy Hash: 2c29ccae28860a990cf61e88c673ed0bdd6a41c16c632c14d0ec60f4933cdbcf
                                                                      • Instruction Fuzzy Hash: 92513A74D4062ACBCB64CF65C944BA9F7B2FB99311F1096EAC11EB7204EB309AC58F54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 157697318fcd786c30ee8d7bca8cff947db7f0cf672cfb193231710133a80e2e
                                                                      • Instruction ID: 87ae0dc3df8a1d13c4143f72cd735044e2aee77d06ff3bf34740ec9d6a2310c1
                                                                      • Opcode Fuzzy Hash: 157697318fcd786c30ee8d7bca8cff947db7f0cf672cfb193231710133a80e2e
                                                                      • Instruction Fuzzy Hash: A2514A74D4062ACBCB64CF65C940BEAF7B2FB99310F1096EAD119B7204EB309AC58F44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8ba36c097f6332803ed67f6ab929fa987be80b869dcb844ace2423b203e465ab
                                                                      • Instruction ID: fa7358ae673cb0661e45fc464ed50d9da284e772f16fb6d0c24cad6b3d01fa0f
                                                                      • Opcode Fuzzy Hash: 8ba36c097f6332803ed67f6ab929fa987be80b869dcb844ace2423b203e465ab
                                                                      • Instruction Fuzzy Hash: AF514871E116198BDB68DF6B8D4479EFAF3AFC9300F14C1BA950CA6254EB301A858F51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 03c287252e8c8aa089a37f7695b38cd0bae010c20c5d11bb9ebbabdbe691fe96
                                                                      • Instruction ID: 55d6483b988727b1a458a9440529a8e24a91cc94d9375f167728a9d4faa8a5aa
                                                                      • Opcode Fuzzy Hash: 03c287252e8c8aa089a37f7695b38cd0bae010c20c5d11bb9ebbabdbe691fe96
                                                                      • Instruction Fuzzy Hash: 41210775E112199BDB08CFAAD9406EEFBF7BFC8320F14C12AD418B7254DB344A058B91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.224792931.000000000BDC0000.00000040.00000001.sdmp, Offset: 0BDC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9f6b3b3d292deb44368d1bd54c71ed6139e3183b8f512f2e7ede7f1260bf3435
                                                                      • Instruction ID: cf255cf11ef8ba7304f3de9551d091e5579a9b4af9e6953d18259f288ea21f7d
                                                                      • Opcode Fuzzy Hash: 9f6b3b3d292deb44368d1bd54c71ed6139e3183b8f512f2e7ede7f1260bf3435
                                                                      • Instruction Fuzzy Hash: E1115A30D1521A8BCB14CFA5C408BEEFAF1EB4E321F28906AD145B3290C7788944DBA8
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Executed Functions

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.477292951.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 0083b4c0e92e1261ae3252c06fa205f9396d88b874eaae77337bf549bcfd291c
                                                                      • Instruction ID: 579dc3b40f857d25bfe577aec9e5dcb9522a29fb8d0aaf813973d4a151897d68
                                                                      • Opcode Fuzzy Hash: 0083b4c0e92e1261ae3252c06fa205f9396d88b874eaae77337bf549bcfd291c
                                                                      • Instruction Fuzzy Hash: 6462F831E007198BCB24EF78C955A9DB7F1AF89304F1085AAD54AAB354EF309E85CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 012D4116
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480184818.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 4e628ae9d8c9a8592207decc0d9a41af40c2360e5d33b54b5272799417d50818
                                                                      • Instruction ID: 754f967ad59702ec679717457d51ffac329162b86335d42c73d803a1266ec8c5
                                                                      • Opcode Fuzzy Hash: 4e628ae9d8c9a8592207decc0d9a41af40c2360e5d33b54b5272799417d50818
                                                                      • Instruction Fuzzy Hash: 87B179B0A106068FCB14EF69C4846AEBBF6FF88314B10892DD50ADB755DF74E8058BE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D0D19
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 59ff31f18bce662d8793db9a8b56232c1e73940f56ba8ad6d5326eafb789f71b
                                                                      • Instruction ID: d37506410879fec09a2e666091197e7a3ca1414de3effdd36f0d43d196d2f796
                                                                      • Opcode Fuzzy Hash: 59ff31f18bce662d8793db9a8b56232c1e73940f56ba8ad6d5326eafb789f71b
                                                                      • Instruction Fuzzy Hash: B3A2E7B4A04228CFCB69EF70D8986ADB7B6BF49305F1041EAD50AA3350DB349E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D0D19
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: ab81bba7b6367c98800026c95df2d79c3e234d570a04c1b3a20f8599302d25ec
                                                                      • Instruction ID: b2028695bcb7ea21a64a115674b4d6580d7a3c3a993ba999541ed2bbb2631049
                                                                      • Opcode Fuzzy Hash: ab81bba7b6367c98800026c95df2d79c3e234d570a04c1b3a20f8599302d25ec
                                                                      • Instruction Fuzzy Hash: D762FB74A04228CFCB69EF70D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D0D19
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: fc9a1b6c55dcb8b91e8724e958f7c03b4f428009183bf62642142875db2d84a1
                                                                      • Instruction ID: 0ac59ffdccb83bc074f864c8409ee2ab4a125fc7c1087f404bc31bfade66c757
                                                                      • Opcode Fuzzy Hash: fc9a1b6c55dcb8b91e8724e958f7c03b4f428009183bf62642142875db2d84a1
                                                                      • Instruction Fuzzy Hash: 9452FB74A04228CFCB69EF70D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D0D19
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: dced5fdf9b1a1879a656c2618fcbd9dbc93321a88b08d56a68256c1d8e28d9b7
                                                                      • Instruction ID: e29ca45c2010abf08e1ac7497dc1dfafdc4c95aa16073a2fcbdd5a84380d1e75
                                                                      • Opcode Fuzzy Hash: dced5fdf9b1a1879a656c2618fcbd9dbc93321a88b08d56a68256c1d8e28d9b7
                                                                      • Instruction Fuzzy Hash: 3452FB74A04228CFCB69EF70D8986ADB7B6BF49205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D0D19
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 6bceacc5dea1af3ed94bb2c589af42715333ad8778037dd2ccf35fb43d179989
                                                                      • Instruction ID: a956f716b2e9d7a4df373303d5c42473caf73b311944741a428e9215c46ac23b
                                                                      • Opcode Fuzzy Hash: 6bceacc5dea1af3ed94bb2c589af42715333ad8778037dd2ccf35fb43d179989
                                                                      • Instruction Fuzzy Hash: EC52FA74A05228CFCB69EF70D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D0D19
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: bf3a5152b2fad2ba4f0ba7d2d61c47b98e2a33f3b6558cbfa3a82661e7c766d3
                                                                      • Instruction ID: b735f6a3265e86301e7ef088bc9ad706cbc94dcdd70a63571584d9050df4bec2
                                                                      • Opcode Fuzzy Hash: bf3a5152b2fad2ba4f0ba7d2d61c47b98e2a33f3b6558cbfa3a82661e7c766d3
                                                                      • Instruction Fuzzy Hash: AD52FA74A04228CFCB69EF74D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D0D19
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: b7aa36124db08b7d33aeddac29338e33ad279f16e27fdb080c8f267104e2c2a7
                                                                      • Instruction ID: d6128ef37c55c15d65a892df9edefed9f22cb1f4a824cdbd3c54b33b3112d62d
                                                                      • Opcode Fuzzy Hash: b7aa36124db08b7d33aeddac29338e33ad279f16e27fdb080c8f267104e2c2a7
                                                                      • Instruction Fuzzy Hash: 0A52FA74A05228CFCB69EF70D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D0D19
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: e06cc0e5b3a85f80dc95be94a757efeb86916a1259ae887e70b4f296fa23ec21
                                                                      • Instruction ID: 8369205b2e7b714205e5761c9cd593a2f889b69f2204662ccb0e27b0d913eaed
                                                                      • Opcode Fuzzy Hash: e06cc0e5b3a85f80dc95be94a757efeb86916a1259ae887e70b4f296fa23ec21
                                                                      • Instruction Fuzzy Hash: D952FA74A04228CFCB69EF74D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D0D19
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: ae06e0c9373529231ca9880cf02863ed16424318ff30218076d17cd1b8ddf5e4
                                                                      • Instruction ID: 568d2f5b0923b3c9ff1acd63a48d3e3d5bda46a9d60905e2590ceaf7c1813cc1
                                                                      • Opcode Fuzzy Hash: ae06e0c9373529231ca9880cf02863ed16424318ff30218076d17cd1b8ddf5e4
                                                                      • Instruction Fuzzy Hash: 8D52FA74A04228CFCB69EF74D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D0D19
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: a3378ca37240014d054c9bd92f5d540585b6221843ddda0f85389d13384de5de
                                                                      • Instruction ID: 7a53d1fa7b92a13b357ec54242dab5b7f21821b18b9c3a799fc1e79624826238
                                                                      • Opcode Fuzzy Hash: a3378ca37240014d054c9bd92f5d540585b6221843ddda0f85389d13384de5de
                                                                      • Instruction Fuzzy Hash: 7D42F974A04228CFCB69EF74D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D0D19
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: ead1f13b634f184299164c6a0b11327ab2fe232ab09cf3a795b75f7245f6e8de
                                                                      • Instruction ID: 6a2e2ff79e3504bb01d244dddaea6ab56de9046d29752c292093960a3370efd8
                                                                      • Opcode Fuzzy Hash: ead1f13b634f184299164c6a0b11327ab2fe232ab09cf3a795b75f7245f6e8de
                                                                      • Instruction Fuzzy Hash: 20420A74A04228CFCB69EF70D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 012D69A0
                                                                      • GetCurrentThread.KERNEL32 ref: 012D69DD
                                                                      • GetCurrentProcess.KERNEL32 ref: 012D6A1A
                                                                      • GetCurrentThreadId.KERNEL32 ref: 012D6A73
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480184818.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: 45896bdba63fadcace1742acc39deeaa0730db88b11855d6e4e818ffce78ead8
                                                                      • Instruction ID: b5b6e5eb34d11af60dc811f5d8ff5776e34db2d666ab377e86e2f45491bcdc77
                                                                      • Opcode Fuzzy Hash: 45896bdba63fadcace1742acc39deeaa0730db88b11855d6e4e818ffce78ead8
                                                                      • Instruction Fuzzy Hash: FC5144B09106498FDB14CFAAD648BDEBFF0EF88304F248459E559A73A0DB749844CF62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 012D69A0
                                                                      • GetCurrentThread.KERNEL32 ref: 012D69DD
                                                                      • GetCurrentProcess.KERNEL32 ref: 012D6A1A
                                                                      • GetCurrentThreadId.KERNEL32 ref: 012D6A73
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480184818.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: c1e478e98bfacf821aa3eb7e6e25db8fb2b9b65b2480cda55fb2352a1e4d786e
                                                                      • Instruction ID: 54a0094f4ff680e06c2ac9b233241e2bd6ef5535e57b5f683318332e08d730c8
                                                                      • Opcode Fuzzy Hash: c1e478e98bfacf821aa3eb7e6e25db8fb2b9b65b2480cda55fb2352a1e4d786e
                                                                      • Instruction Fuzzy Hash: 235153B09106498FDB14CFAAD648BDEBBF0FF88304F208459E559A7390DB74A844CF62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 97743ada17862cf9d538627570c101b8878ae9c1a3477494bcb16ff2b0fc7682
                                                                      • Instruction ID: 399ef57fa24728200dd7339d15ed38fb263fbba5c927f111b7ac40ebbfbcd723
                                                                      • Opcode Fuzzy Hash: 97743ada17862cf9d538627570c101b8878ae9c1a3477494bcb16ff2b0fc7682
                                                                      • Instruction Fuzzy Hash: 5042FA74A04228CFCB69EF74D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 5df31664c43e7d7390fe652397e2fb76ce285d3459932a662b9ed87326a61c1b
                                                                      • Instruction ID: eb3b0775b408f913a33e1e374aaf69e73d7b4b3ab8d337b0951d01074ef27326
                                                                      • Opcode Fuzzy Hash: 5df31664c43e7d7390fe652397e2fb76ce285d3459932a662b9ed87326a61c1b
                                                                      • Instruction Fuzzy Hash: 56420A74A04228CFCB69EF74D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 5aea15bc6f14a4dc8e588d8a71c0c3396d915657baa06ee5024ae8a640ca5666
                                                                      • Instruction ID: 07c34d316e2c97f2069af03a0728f437365db316ab2152e270e2ee364261b269
                                                                      • Opcode Fuzzy Hash: 5aea15bc6f14a4dc8e588d8a71c0c3396d915657baa06ee5024ae8a640ca5666
                                                                      • Instruction Fuzzy Hash: 9142FA74A04228CFCB69EF74D8986ADB7B6BF48305F1041EAD50AA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 21d3cee10365ce88ed7df4e31acf64b9771c96a6e81e7bec44455146400a0e03
                                                                      • Instruction ID: 5766d2013f2ecbeca8b5a26dc5b9eceaee0b64a6c7491043e2a371991d82ecfd
                                                                      • Opcode Fuzzy Hash: 21d3cee10365ce88ed7df4e31acf64b9771c96a6e81e7bec44455146400a0e03
                                                                      • Instruction Fuzzy Hash: 17420A74A05228CFCB69EF70D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 51f3af12f7a5b6c7d9f4228416af51513d70f6f2a73c14c060cc22d456e5e30a
                                                                      • Instruction ID: 78929402aede7044c9c793c0957f0a130027349c4cf8c19a8fcf4dfd035de080
                                                                      • Opcode Fuzzy Hash: 51f3af12f7a5b6c7d9f4228416af51513d70f6f2a73c14c060cc22d456e5e30a
                                                                      • Instruction Fuzzy Hash: 29420A74A04228CFCB69EF74D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: e1e5cbac8be84183336b8ddb06befbedaabf80cd81f72273deaab3d213af3ee0
                                                                      • Instruction ID: 2b242b716ce6b3fe5a6a54a2b80b1e557872e6e439e602b06b58260b1f0afbfe
                                                                      • Opcode Fuzzy Hash: e1e5cbac8be84183336b8ddb06befbedaabf80cd81f72273deaab3d213af3ee0
                                                                      • Instruction Fuzzy Hash: B2321A74A05228CFCB69EF70D8986ADB7B6BF48205F1041EAD50EA3350DB389E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: a0fbbf9b94b6dbf2b8fe9b00693b5b9b8dd8772ce09fbddabeafdfea1eb9dce1
                                                                      • Instruction ID: 5f3eddbbbd77a96d594f4df9b7cbc6055bec38ef02a4ed7e0a4dab727d8e71b9
                                                                      • Opcode Fuzzy Hash: a0fbbf9b94b6dbf2b8fe9b00693b5b9b8dd8772ce09fbddabeafdfea1eb9dce1
                                                                      • Instruction Fuzzy Hash: 50320A74A04228CFCB69EF74D8986ADB7B6BF48205F1041EAD50EA3350DB349E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 3061f0e14ddcd74edfd6dd52ef897087c65cad648e68921503673a6214fd244c
                                                                      • Instruction ID: e89b7bd4dd60bd36c8fc06b7b9ba9551079fddad0be0a3d64f5e9e2f3f4e3dc1
                                                                      • Opcode Fuzzy Hash: 3061f0e14ddcd74edfd6dd52ef897087c65cad648e68921503673a6214fd244c
                                                                      • Instruction Fuzzy Hash: 83321B74A04228CFCB69EF74D8986ADB7B6BF48205F1041EAD50EA3350DB349E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: cf4ae8d84c471da9d14d0a583f359524903a3496fdc3f1a6ec12f75e39127287
                                                                      • Instruction ID: adff57c5d795bbc39922bac1967a318ebcb46fb62392bba3888719f1e5726f82
                                                                      • Opcode Fuzzy Hash: cf4ae8d84c471da9d14d0a583f359524903a3496fdc3f1a6ec12f75e39127287
                                                                      • Instruction Fuzzy Hash: C6320B74A04228CFCB69EF74D8986ADB7B6BF88205F1041EAD50EA3350DB349E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 1c07dad24fd76f40b934cef059b079b81d663e43b4bc8c134fbd18957628e118
                                                                      • Instruction ID: ddd4396ff58942610edd82771b0c90999257d7abd769623fa21bb75c1fb47ccc
                                                                      • Opcode Fuzzy Hash: 1c07dad24fd76f40b934cef059b079b81d663e43b4bc8c134fbd18957628e118
                                                                      • Instruction Fuzzy Hash: 4E321B74A04228CFCB69EF74D8986ADB7B6BF88205F1041EAD50EA3350DB349E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 28cb36e50e2f255ef1cb8ea8c74d321afa1eac7e36845d1687355b67e95cbe2f
                                                                      • Instruction ID: 025941580478e03c79c7a7cd5be677dbaed8134222a61d43a5abb19a230fcd6c
                                                                      • Opcode Fuzzy Hash: 28cb36e50e2f255ef1cb8ea8c74d321afa1eac7e36845d1687355b67e95cbe2f
                                                                      • Instruction Fuzzy Hash: 8F321C74A04228CFCB69EF74D8986ADB7B6BF88305F1041EAD50AA3350DB349E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: c6112d79c7d6d65665c3afcfa75c6c616ce722c2bda7d37967f2ca6321e3f43d
                                                                      • Instruction ID: 5a0f7f716433d096e1774e1d939f0dc422d1aafa704437f8b611d88f25a28f25
                                                                      • Opcode Fuzzy Hash: c6112d79c7d6d65665c3afcfa75c6c616ce722c2bda7d37967f2ca6321e3f43d
                                                                      • Instruction Fuzzy Hash: F5221D74A04228CFCB69EF74D8986ADB7B6BF88205F1041EAD50EA3350DB349E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: b10ad3c6bb7df43469da21c85301a3f1cbd40540c2985332916869dadc7645a3
                                                                      • Instruction ID: 1e0fe5a2cc26aebe8b4d69a3a9a1aee30f6b219cabb7fc16c1a04a3cb08adf0b
                                                                      • Opcode Fuzzy Hash: b10ad3c6bb7df43469da21c85301a3f1cbd40540c2985332916869dadc7645a3
                                                                      • Instruction Fuzzy Hash: 33221D74A04228CFCB69EF74D8986ADB7B6BF88205F1041EAD50EA3350DB349E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: bf23f1ef9d398e283e9094b8a1b7ca093426a160c7c9e979ca31955d679b7257
                                                                      • Instruction ID: 1529472981f38fb0c460cf79d4ce897111626bd1716390aef672369c43b78f93
                                                                      • Opcode Fuzzy Hash: bf23f1ef9d398e283e9094b8a1b7ca093426a160c7c9e979ca31955d679b7257
                                                                      • Instruction Fuzzy Hash: 3A222D74A04228CFCB69EF74D8987ADB7B6BF88205F1041EAD50AA3350DB349E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 0f0595629a34ab99a4241f39bc261658ec178d9c67bd73a244dd5d58e3dbfc3d
                                                                      • Instruction ID: fc6dbfdf2c913854b59356922087148cb86032c3f495d2732c12e8ccfd458d38
                                                                      • Opcode Fuzzy Hash: 0f0595629a34ab99a4241f39bc261658ec178d9c67bd73a244dd5d58e3dbfc3d
                                                                      • Instruction Fuzzy Hash: 0D222D74A04228CFCB69EF74D8987ADB7B6BF88205F1041EAD50AA3350DB349E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 769224f83c33c5f3dbc3c5f62acfebf95fa1b14eb586a6eacab45eb7b3af85be
                                                                      • Instruction ID: 552d64ab7ccd924742425d2a85f13b5290198000ee129a4a07defcd5d365ae35
                                                                      • Opcode Fuzzy Hash: 769224f83c33c5f3dbc3c5f62acfebf95fa1b14eb586a6eacab45eb7b3af85be
                                                                      • Instruction Fuzzy Hash: F8222E74A04228CFCB69EF74D8987ADB7B6BF88205F1041EAD50AA3350DB349E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 97e8a931fea87f4f7c5573322ed1ee08be29d924761ad89db0f4a6d4ab324636
                                                                      • Instruction ID: 3abbf5d255a64419d3c4f13e45a70efe1b77f0572816d1d4e45fe94dfb65b646
                                                                      • Opcode Fuzzy Hash: 97e8a931fea87f4f7c5573322ed1ee08be29d924761ad89db0f4a6d4ab324636
                                                                      • Instruction Fuzzy Hash: 8A222E74A04228CFCB69EF74D8987ADB7B6BF88205F1041EAD50AA3350DB349E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 756859ee14f151427c0c86c70859a94aee8c664fa48f1311db893c4b9d663676
                                                                      • Instruction ID: 471806071618d1b0a5391164f48e40229dcdb45abf26c52314c44b05bd6158dc
                                                                      • Opcode Fuzzy Hash: 756859ee14f151427c0c86c70859a94aee8c664fa48f1311db893c4b9d663676
                                                                      • Instruction Fuzzy Hash: D4122F74A04229CFCB68EF74D8987ADB7B6BF88205F1041EAD50AA3350DB348E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: d1735719d00314385e1fa411ed69c9a98db34ea4f336eeb5d43dc8f86106a146
                                                                      • Instruction ID: aaf406cf17c6970b86fe1f399de459d2cfd45f03c341a9800125ecb4686bb960
                                                                      • Opcode Fuzzy Hash: d1735719d00314385e1fa411ed69c9a98db34ea4f336eeb5d43dc8f86106a146
                                                                      • Instruction Fuzzy Hash: C4122F74A04229CFCB68EF74D8987ADB7B6BF88205F1045E9D50AA3350DB348E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 366d1b7bea87f4469db6cfdcb1c014ad75c3f4ce0529110424212bcc3f18261c
                                                                      • Instruction ID: fb7aa1dd899913f9c16f4d534fb2e581cac845417c5209efd80849ba50656e59
                                                                      • Opcode Fuzzy Hash: 366d1b7bea87f4469db6cfdcb1c014ad75c3f4ce0529110424212bcc3f18261c
                                                                      • Instruction Fuzzy Hash: 0C122FB4A04229CBCB68EF74D8987ADB7B6BF88205F1045E9D50AA3350DF348D85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: 7ccecb41a14260bd3916032a4ae7677b8545f086a1b65abc7c6cdd58e8f3beac
                                                                      • Instruction ID: 9191624d6cf411867cdff5d7aad97de90972c8dbe7bac1850b2e59e306a865b3
                                                                      • Opcode Fuzzy Hash: 7ccecb41a14260bd3916032a4ae7677b8545f086a1b65abc7c6cdd58e8f3beac
                                                                      • Instruction Fuzzy Hash: 4D122DB4A04229CBCB68EF74D8987ADB7B6BF88205F1045E9D50AA3350DF348E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D130A
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser$InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2638914809-0
                                                                      • Opcode ID: c2fcf0f990218774c62b8c7ea65fd197bb4e2698d242d82e1aef401c1f3c0dc8
                                                                      • Instruction ID: 33dd9d353f1bdf8fcb285ac5dd4e2e850939f21c03e67d14599a6fb252578177
                                                                      • Opcode Fuzzy Hash: c2fcf0f990218774c62b8c7ea65fd197bb4e2698d242d82e1aef401c1f3c0dc8
                                                                      • Instruction Fuzzy Hash: 43022DB4A04229CBCB68EF74D8987ADB7B6BF88205F1045E9D50AA3350DF348E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionInitializeThunkUser
                                                                      • String ID:
                                                                      • API String ID: 243558500-0
                                                                      • Opcode ID: bbe3a7ec117f8c06d51f15f6b8c03f0918586264f70e725eb8cee01935bd7015
                                                                      • Instruction ID: 15a750cce290096a9fc7b0c77484e2eb4c781c2cb41c9771b0cedd5e23826113
                                                                      • Opcode Fuzzy Hash: bbe3a7ec117f8c06d51f15f6b8c03f0918586264f70e725eb8cee01935bd7015
                                                                      • Instruction Fuzzy Hash: 81022CB4A04229CBCB68EB74DC987ADB7B6BF88205F1045E9D50AA3350DF348E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionInitializeThunkUser
                                                                      • String ID:
                                                                      • API String ID: 243558500-0
                                                                      • Opcode ID: f2d5baf8dfe724ce558e4c97e77ba21045a3c4b4a6d9fbdc9a803f73dafc7d4c
                                                                      • Instruction ID: 9d9dfde6b7877cc28ebd18a1783b4e94085f61886286f15ad52c4ce79002fa8c
                                                                      • Opcode Fuzzy Hash: f2d5baf8dfe724ce558e4c97e77ba21045a3c4b4a6d9fbdc9a803f73dafc7d4c
                                                                      • Instruction Fuzzy Hash: 00022DB4A04229CFCB68EB74DC987ADB7B6AF88205F1045EAD50AA3350DF348D85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionInitializeThunkUser
                                                                      • String ID:
                                                                      • API String ID: 243558500-0
                                                                      • Opcode ID: cdb98123811e661786b94808743edd3ee7dfc043e97e2c69da00e9416f316846
                                                                      • Instruction ID: a1e2ff121e8322a24a8152a8222634d84384c9178a6a3dd368a50e8bdec4f98d
                                                                      • Opcode Fuzzy Hash: cdb98123811e661786b94808743edd3ee7dfc043e97e2c69da00e9416f316846
                                                                      • Instruction Fuzzy Hash: 0A022CB0A04229CBCB64EB74DC987ADB7B6AF88205F1045EAD50AA3350DF348D85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionInitializeThunkUser
                                                                      • String ID:
                                                                      • API String ID: 243558500-0
                                                                      • Opcode ID: 93dcd0239db992428f51ca691119f0c8e86a3fad46a8402e3d18a0f4f7f589b0
                                                                      • Instruction ID: e911edf4ba4b1e3f9bb614fce884d78da9d2726c9d7f6ef017f75889bf4fa4ee
                                                                      • Opcode Fuzzy Hash: 93dcd0239db992428f51ca691119f0c8e86a3fad46a8402e3d18a0f4f7f589b0
                                                                      • Instruction Fuzzy Hash: 30F12CB0A04229CBCB64EB74DC987ADB7B6AF88205F1045EAD50AA7350DF348D85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • LdrInitializeThunk.NTDLL ref: 011D159B
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionInitializeThunkUser
                                                                      • String ID:
                                                                      • API String ID: 243558500-0
                                                                      • Opcode ID: 3c9c53752472ce4caefbe0e507d67b6fd2ee221498cbe465bae9341c458995fb
                                                                      • Instruction ID: 7be72723c9069566f15c46c82370002d53b9b73cec8a73ded8cb600d6888cda2
                                                                      • Opcode Fuzzy Hash: 3c9c53752472ce4caefbe0e507d67b6fd2ee221498cbe465bae9341c458995fb
                                                                      • Instruction Fuzzy Hash: 96F12AB0A04228CBCB64EB74DC987ADB7B6AF88205F1045EAD50AA7350DF348E85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 9f5e8e9f531f98a02339a73890912cd2d70e7b203725a100ed190d597bb815b3
                                                                      • Instruction ID: 89b2918fc67628d38219ab2d8b41c4c133956125bfd3a6428e0163b57c821c2a
                                                                      • Opcode Fuzzy Hash: 9f5e8e9f531f98a02339a73890912cd2d70e7b203725a100ed190d597bb815b3
                                                                      • Instruction Fuzzy Hash: 819132B4A04229CFCB68EB34C8947ADB7B6BF88205F1044E9D60EA7354DB389D85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: d981507971c194d7e31251e3f499a95b9707d74689fdc6461d2f3356224ef9bf
                                                                      • Instruction ID: d6eb0f211389e83b845223bbc9f6db52305f88d782cdea2e923c752eddbfcc9d
                                                                      • Opcode Fuzzy Hash: d981507971c194d7e31251e3f499a95b9707d74689fdc6461d2f3356224ef9bf
                                                                      • Instruction Fuzzy Hash: D18142B4A04228CFCB68DB34C8947ADB7B6AF88205F1045E9D60EA7354DF389D85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: da0da999ba9ea807bdae5d643c3a4598d1ab70c38b46813d7586e3bf8c1ed268
                                                                      • Instruction ID: a5de5356bfeb514151e1fb06afbc0d709b25876d3e778a0936d3e3c29b9bb588
                                                                      • Opcode Fuzzy Hash: da0da999ba9ea807bdae5d643c3a4598d1ab70c38b46813d7586e3bf8c1ed268
                                                                      • Instruction Fuzzy Hash: E88143B4A00229CFCB68EB74C8947ADB7B6AF88205F1044E9D60EA7354DF389D85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 272e1dc0437a3c9eea6f48e9a6a580c105b321fd1c42513daa59710936e19834
                                                                      • Instruction ID: 1ab904e264e4645cc10ab7b151c7c5456f24e6d92cb8faf42572272b4878859f
                                                                      • Opcode Fuzzy Hash: 272e1dc0437a3c9eea6f48e9a6a580c105b321fd1c42513daa59710936e19834
                                                                      • Instruction Fuzzy Hash: 0B7141B4A00229CFCB68EB74C8947ADB7B6AF88205F1044E9C60EA7354DF389D85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480030877.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 78966a5783bd8eba65f928791ac0a85f3dc28708fd08943499623bb065952d4c
                                                                      • Instruction ID: 6356c53f505dabd745064b297725c3073b9569c4aede8c923f5ec66769a23cae
                                                                      • Opcode Fuzzy Hash: 78966a5783bd8eba65f928791ac0a85f3dc28708fd08943499623bb065952d4c
                                                                      • Instruction Fuzzy Hash: F2615130A11619DFDB18EFF4D8587AEBBF2AF84304F108429D502A7365DF359945CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: afe686a83cd8399dff04269fac34f955da90b2af8f68ee4d53fe7cbeede0a17f
                                                                      • Instruction ID: bc772f52bf339f9155d908c8714349606bab55449acdc47d1c5f40eaa145e642
                                                                      • Opcode Fuzzy Hash: afe686a83cd8399dff04269fac34f955da90b2af8f68ee4d53fe7cbeede0a17f
                                                                      • Instruction Fuzzy Hash: 6D7141B0A00229CBCB68EB74C8947ADB7B6AF84205F1085ADC60EA7754DF389D85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 38024e0fbdd8b93570c2b6dff878cf179c42e9d8d12cd198b0db082a96ccc8d8
                                                                      • Instruction ID: c227095cd54cceab0646c223c7cbc2612bb3f3bb9e2d15c1dcf377501b3b9f81
                                                                      • Opcode Fuzzy Hash: 38024e0fbdd8b93570c2b6dff878cf179c42e9d8d12cd198b0db082a96ccc8d8
                                                                      • Instruction Fuzzy Hash: 266151B0A00229CBCB68EB74C8947ADB6B6AF84205F1084EDC60EA7754DF389D85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: 1fc98a447e97278ba78e0eb65fc90f771504021571a61c9c4158748f4e684bb7
                                                                      • Instruction ID: ec4892d231f203e0fb2902f247b9f14a5d7f1dea5ffe5e611970865926ff8ab7
                                                                      • Opcode Fuzzy Hash: 1fc98a447e97278ba78e0eb65fc90f771504021571a61c9c4158748f4e684bb7
                                                                      • Instruction Fuzzy Hash: 956163B1A00229CFCB68EB74C8947ADB6B6AF84205F1084ADC60EE7754DF389D85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • KiUserExceptionDispatcher.NTDLL ref: 011D1B11
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480012666.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DispatcherExceptionUser
                                                                      • String ID:
                                                                      • API String ID: 6842923-0
                                                                      • Opcode ID: f22ca8aa3d8c35a120c2a520b22d060ad6e326925fd901050e9e63cb87a0be5a
                                                                      • Instruction ID: bf987e9978988c1b3da9290fda1f8c6b88a5e926196307f12fed30bb40fc6d54
                                                                      • Opcode Fuzzy Hash: f22ca8aa3d8c35a120c2a520b22d060ad6e326925fd901050e9e63cb87a0be5a
                                                                      • Instruction Fuzzy Hash: 585182B1A00229CBCB68EB74CC947ADB6B6AF88205F1084ADC50EE7754DF388D85CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480030877.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 33c833b46140205b348857b8f1d6b81cbac851c7c62d48ddeeece5dc6ce7443e
                                                                      • Instruction ID: 6241de91e80c8a6e5474e7ceef5cf15c056891c337bdf10411a15860576c323e
                                                                      • Opcode Fuzzy Hash: 33c833b46140205b348857b8f1d6b81cbac851c7c62d48ddeeece5dc6ce7443e
                                                                      • Instruction Fuzzy Hash: 02519331A103059FCB08FBB4C849AEEB7F5BF84604B14896EE5129B395DF34E804CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480030877.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: e209c57ef419dc6a5aa99b34e0db163645a49b44c65eb6df4411dd3d2b89a5c9
                                                                      • Instruction ID: b91f96389ad95f63ed60fdf41872bc7dc7a863f80bcdbcba75378f8904993b51
                                                                      • Opcode Fuzzy Hash: e209c57ef419dc6a5aa99b34e0db163645a49b44c65eb6df4411dd3d2b89a5c9
                                                                      • Instruction Fuzzy Hash: DE518331A103059FCB44EBB4D845AEEB7F5BF88204F14856AE4129B355DF34E9058B61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480184818.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 886b30732bab60854536eacd34bf2712a67963d0e1df6a0d0f52442a55a1a8b6
                                                                      • Instruction ID: 4c8e6fcd54e9ae5488da12455dba9ef1b9a1dad2ae68421bf69f5923a92c8474
                                                                      • Opcode Fuzzy Hash: 886b30732bab60854536eacd34bf2712a67963d0e1df6a0d0f52442a55a1a8b6
                                                                      • Instruction Fuzzy Hash: 555112B1C10249AFDF15CFA9C984ADDBFB1FF48300F25816AE918AB220D7B19955CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 011ED9C4
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480030877.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: b220676ab80152862701ce6eecdb6c88ef55c1c75f24b159c5777d1ab863152d
                                                                      • Instruction ID: 414b7d385fbbe9cf4a2f623863b1e65b65478fe9c78b8bb288b70de22f27990b
                                                                      • Opcode Fuzzy Hash: b220676ab80152862701ce6eecdb6c88ef55c1c75f24b159c5777d1ab863152d
                                                                      • Instruction Fuzzy Hash: B44166719042498FDB18CFE8C548A8EFFF2AF48314F28816EE808AB341DB799945CB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012D51A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480184818.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 9e8d6e2a46509f9eeb860f9baa8d82601b82374da8d793c8f2e1ed009e13f238
                                                                      • Instruction ID: 02ebf0c0aa64d6278cc563ce1abc51f4934620d81991b82da807e633c4c50501
                                                                      • Opcode Fuzzy Hash: 9e8d6e2a46509f9eeb860f9baa8d82601b82374da8d793c8f2e1ed009e13f238
                                                                      • Instruction Fuzzy Hash: 1B41C0B1D103099FDB14CFA9C984ADEBFB5BF48314F64812AE819AB210D7B49885CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 012D7F09
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480184818.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CallProcWindow
                                                                      • String ID:
                                                                      • API String ID: 2714655100-0
                                                                      • Opcode ID: cdcfabe25f652e720001126e6acd615b1325cc99c2e1a2d372214d6d08d36c70
                                                                      • Instruction ID: 596070b0adc3cceee7a5098e3cc29d6779b06276bbe45c95e47bc894fb7ba226
                                                                      • Opcode Fuzzy Hash: cdcfabe25f652e720001126e6acd615b1325cc99c2e1a2d372214d6d08d36c70
                                                                      • Instruction Fuzzy Hash: F0416CB5910305CFDB14CF99C488AAABBF5FF88318F258498E519A7321D774A841CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 011EDC31
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480030877.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 1a2fc0c6943ebf5c47110638aa52f9d3f2f6cb286163d535eb8f482ade7f8e1a
                                                                      • Instruction ID: 7bc473df7abd28f1cc41a57c6680f599d23b693cb229871332e6d9c3f8b29fb7
                                                                      • Opcode Fuzzy Hash: 1a2fc0c6943ebf5c47110638aa52f9d3f2f6cb286163d535eb8f482ade7f8e1a
                                                                      • Instruction Fuzzy Hash: BA4142B1D006588FCF29CFE9D988A8EBFF1AF49304F15805AE819AB210E7759845CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 011EDC31
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480030877.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 506160f56417b37d2fe665e5911ee6520a4ec8748ccbd1a8c092ccddca36b60f
                                                                      • Instruction ID: 7787806f969167c497f826a86c781b48128deb9c724e92754adee418255d5cb3
                                                                      • Opcode Fuzzy Hash: 506160f56417b37d2fe665e5911ee6520a4ec8748ccbd1a8c092ccddca36b60f
                                                                      • Instruction Fuzzy Hash: 0531D0B5D006589FCB24CFE9D984ACEBBF5AB48354F55801AE819BB310D7709945CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 011EDC31
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480030877.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: QueryValue
                                                                      • String ID:
                                                                      • API String ID: 3660427363-0
                                                                      • Opcode ID: 7148c7db342c5f400425529079c75a80d93c84403dba2ae6ab34dede4442c6bb
                                                                      • Instruction ID: ba372ede6464e91d12363b1e98f6ce79cd6c1dd378cd0cfa9cb36ed146aea712
                                                                      • Opcode Fuzzy Hash: 7148c7db342c5f400425529079c75a80d93c84403dba2ae6ab34dede4442c6bb
                                                                      • Instruction Fuzzy Hash: EC31D0B1D006589FCB24CFD9D988A9EBBF5AB48350F15816AE819BB310D7709945CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 011ED9C4
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480030877.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: 7c14564cb8f85010b251e382f5a17d4b196decc4a8d51fcc43cc0ee3c0a3e0c1
                                                                      • Instruction ID: 39734a7de2e1e7b05a57319d1cca0c82bc0f7c8a52c5282f2c6dec7e5c0944d4
                                                                      • Opcode Fuzzy Hash: 7c14564cb8f85010b251e382f5a17d4b196decc4a8d51fcc43cc0ee3c0a3e0c1
                                                                      • Instruction Fuzzy Hash: 0F3102B0D042488FDB18CFD9C688A8EFFF5AB48304F25816EE409AB340D7759944CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 012DC222
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480184818.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EncodePointer
                                                                      • String ID:
                                                                      • API String ID: 2118026453-0
                                                                      • Opcode ID: 1490936ad73ab4d491b183d55737eb9a892cd44bab99cadc22f0d7ff08950f96
                                                                      • Instruction ID: 0889e35b219a79ef8347efeaf458db44f5f3b3b90d9b2016fb4e84ed91e6ecaa
                                                                      • Opcode Fuzzy Hash: 1490936ad73ab4d491b183d55737eb9a892cd44bab99cadc22f0d7ff08950f96
                                                                      • Instruction Fuzzy Hash: 74318D718253868FDB10EFA8E54939ABFF0AB06314F14405AE448A7382CB799544CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012D6BEF
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480184818.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 6202f503b1eae2b2a32f0de614848ab6fc064e56e1df009571c28faedb4a22e9
                                                                      • Instruction ID: d501109b0cf0ea410f1553e3bab7112cad6b3c5a25e6ca74a63d1fb0e1d4ee6c
                                                                      • Opcode Fuzzy Hash: 6202f503b1eae2b2a32f0de614848ab6fc064e56e1df009571c28faedb4a22e9
                                                                      • Instruction Fuzzy Hash: E221E0B5900248AFDB10CFA9D984ADEBBF8EB48324F14841AE914B3310D778A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012D6BEF
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480184818.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 114deb2213afa813204d82afdae91bf1d44de1738bc0d3bdad1f413684ba98b4
                                                                      • Instruction ID: a32f0bb3f63e0e821ba80ae9a5bbe9a24fb588bcda5c174bd83c4bcb6cbaae76
                                                                      • Opcode Fuzzy Hash: 114deb2213afa813204d82afdae91bf1d44de1738bc0d3bdad1f413684ba98b4
                                                                      • Instruction Fuzzy Hash: 0D21C2B5900249AFDB10CFA9D984ADEBBF8EB48324F14841AE954B3350D778A954CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 012D4116
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480184818.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 8482f54837f43ddae32742990e2be7a4d22d385066eb6d557bb242fa49f1c81d
                                                                      • Instruction ID: cc6fa51918e981cbf39f884876a06244a78ac6c0ad9f70d24e029f3bf5a93d54
                                                                      • Opcode Fuzzy Hash: 8482f54837f43ddae32742990e2be7a4d22d385066eb6d557bb242fa49f1c81d
                                                                      • Instruction Fuzzy Hash: 752134B2C006898FDB18CF9AC44578EFBF4EF88314F24816AD518A7700D775A546CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480030877.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 8445f8839afba1238550242616ca545cc4ef73c59c3f8a7b4c90ac2475098c49
                                                                      • Instruction ID: 205ea353fb651070ef72823a8efcd61d64ecea6e3d2dc222965326f09267659a
                                                                      • Opcode Fuzzy Hash: 8445f8839afba1238550242616ca545cc4ef73c59c3f8a7b4c90ac2475098c49
                                                                      • Instruction Fuzzy Hash: 68114930E11609DFCB19DFA9D898A9DBBB2FF89304F108428E401A7364CB369885CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 012DC222
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480184818.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: EncodePointer
                                                                      • String ID:
                                                                      • API String ID: 2118026453-0
                                                                      • Opcode ID: 42cf1da235e680a1afe9a22cef1ded6de3350b7c55a762f3ec3989c9cb537190
                                                                      • Instruction ID: 9d43420143f7746bad827e325c439fda3449148b14f9d1a37bb9b15d2274a701
                                                                      • Opcode Fuzzy Hash: 42cf1da235e680a1afe9a22cef1ded6de3350b7c55a762f3ec3989c9cb537190
                                                                      • Instruction Fuzzy Hash: D81164B19103458FCB20EFA9D50979EBBF4EB48314F20842AD908B3744CB78A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 012D4116
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.480184818.00000000012D0000.00000040.00000001.sdmp, Offset: 012D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: b75a5edb6052ec2fbf3cbaa9ea7d69fd44b601ffa0fe68cc426cf25a4fbf36e4
                                                                      • Instruction ID: 3750d23637932b1e7e274b04df79a5ce4e935fa0ab9bbdf73fa2e9a1a6a980e2
                                                                      • Opcode Fuzzy Hash: b75a5edb6052ec2fbf3cbaa9ea7d69fd44b601ffa0fe68cc426cf25a4fbf36e4
                                                                      • Instruction Fuzzy Hash: 3F1164B1C002498FDB24DF9AC444BDEFBF4EB48210F10802AD928B3600D374A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.477654978.0000000000F8D000.00000040.00000001.sdmp, Offset: 00F8D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 29b8d249b9ef7ad6153ea7dc9659ce3f0c2609a046aa6fa793397c18251d6855
                                                                      • Instruction ID: cac43936d7954c941d4aa255a823a6c3f2f1f4b8e4ba7c6e10a204b193e6a9a3
                                                                      • Opcode Fuzzy Hash: 29b8d249b9ef7ad6153ea7dc9659ce3f0c2609a046aa6fa793397c18251d6855
                                                                      • Instruction Fuzzy Hash: 55210672904240DFDB14EF10D9C0B67BB65FF84324F248569D9054B286C336E855EBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.477654978.0000000000F8D000.00000040.00000001.sdmp, Offset: 00F8D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3b2e41192ffac3c911e9ace4121143b99408c1f7786386657e9f4c772d7597fc
                                                                      • Instruction ID: 80bfb0108c06f7685957a9ab54bbfb54823fbdbfd1cb376e2673ed6480082d9e
                                                                      • Opcode Fuzzy Hash: 3b2e41192ffac3c911e9ace4121143b99408c1f7786386657e9f4c772d7597fc
                                                                      • Instruction Fuzzy Hash: B42128B2504244DFCF01EF10D9C0B66BF65FF94328F28856AE8054F286C736D956EBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.477775148.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7d6f749d15aa21382883b515bd1570f1f0322381d7d8d7169ffda3f29c26ec05
                                                                      • Instruction ID: 819ae2addea1b06eda76dc3acae9f055666123bdb537c3cc36a7819f65054c80
                                                                      • Opcode Fuzzy Hash: 7d6f749d15aa21382883b515bd1570f1f0322381d7d8d7169ffda3f29c26ec05
                                                                      • Instruction Fuzzy Hash: 6D21F571904240DFEF14CF24D9C4B16BB65FB84324F34C5A9D90A4B35AC736D846DA62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.477775148.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: eac7867c8c52cf985bb8c277afbf25cd30dcd976aa71001e9721fd1416821b83
                                                                      • Instruction ID: e7268261e3c27fd14efd3e598aa304638abd0c29dd7c5e8f2dc777acbca9e145
                                                                      • Opcode Fuzzy Hash: eac7867c8c52cf985bb8c277afbf25cd30dcd976aa71001e9721fd1416821b83
                                                                      • Instruction Fuzzy Hash: E22192755093C08FDB12CF24D990715BF71EB46324F28C5EAD8498F6A7C33A980ACB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.477654978.0000000000F8D000.00000040.00000001.sdmp, Offset: 00F8D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9e9cd8aacd33506535d2ad590ff13daa1a79972ad8fbb3afe5d1e395e3249391
                                                                      • Instruction ID: eb5de73429cb6e5b233c4638e0f1dcccdab5b5569d52f88390cc5a5baceb8bc2
                                                                      • Opcode Fuzzy Hash: 9e9cd8aacd33506535d2ad590ff13daa1a79972ad8fbb3afe5d1e395e3249391
                                                                      • Instruction Fuzzy Hash: D911B176804280CFCF11DF10D9C4B56BF71FF84324F2886AAD8090B656C336D85ADBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.477654978.0000000000F8D000.00000040.00000001.sdmp, Offset: 00F8D000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9e9cd8aacd33506535d2ad590ff13daa1a79972ad8fbb3afe5d1e395e3249391
                                                                      • Instruction ID: 329ba463b2f930008d6c88d6b20e5ebcfe18418da520abdc8f1e1a7366b8747e
                                                                      • Opcode Fuzzy Hash: 9e9cd8aacd33506535d2ad590ff13daa1a79972ad8fbb3afe5d1e395e3249391
                                                                      • Instruction Fuzzy Hash: 4611B476804244CFCF11DF10D5C4B56BF71FF94324F2885A9D8094B656C336D856DBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions