Loading ...

Play interactive tourEdit tour

Analysis Report CRPR7mRha6.exe

Overview

General Information

Sample Name:CRPR7mRha6.exe
Analysis ID:412513
MD5:fef29c7c85536dcfc68b4f9d7b77d038
SHA1:4bbb5ce085c07c4d218ec21b9153c3961d151748
SHA256:f6e14fbe48796831ef4b718774f7a8706dfb4b0694dfc79e13f9946f0302c125
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • CRPR7mRha6.exe (PID: 6888 cmdline: 'C:\Users\user\Desktop\CRPR7mRha6.exe' MD5: FEF29C7C85536DCFC68B4F9D7B77D038)
    • schtasks.exe (PID: 7092 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NrdwACrrcHu' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD35.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • CRPR7mRha6.exe (PID: 7148 cmdline: C:\Users\user\Desktop\CRPR7mRha6.exe MD5: FEF29C7C85536DCFC68B4F9D7B77D038)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "dutchgardenfoodservices@saleperson.icuBIGGOD1234mail.privateemail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.917091302.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.917091302.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000002.918444816.0000000002B36000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.666204246.00000000040B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.666204246.00000000040B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.CRPR7mRha6.exe.41cc268.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.CRPR7mRha6.exe.41cc268.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                5.2.CRPR7mRha6.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.2.CRPR7mRha6.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.CRPR7mRha6.exe.41cc268.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "dutchgardenfoodservices@saleperson.icuBIGGOD1234mail.privateemail.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\NrdwACrrcHu.exeReversingLabs: Detection: 29%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: CRPR7mRha6.exeVirustotal: Detection: 22%Perma Link
                      Source: CRPR7mRha6.exeReversingLabs: Detection: 29%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\NrdwACrrcHu.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: CRPR7mRha6.exeJoe Sandbox ML: detected
                      Source: 5.2.CRPR7mRha6.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: CRPR7mRha6.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: CRPR7mRha6.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\XPabvvoOCZ\src\obj\Debug\Reader.pdb source: CRPR7mRha6.exe
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0BACCA18
                      Source: global trafficTCP traffic: 192.168.2.4:49771 -> 198.54.122.60:587
                      Source: Joe Sandbox ViewIP Address: 198.54.122.60 198.54.122.60
                      Source: global trafficTCP traffic: 192.168.2.4:49771 -> 198.54.122.60:587
                      Source: unknownDNS traffic detected: queries for: mail.privateemail.com
                      Source: CRPR7mRha6.exe, 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: CRPR7mRha6.exe, 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: CRPR7mRha6.exeString found in binary or memory: http://checkip.dyndns.org/
                      Source: CRPR7mRha6.exe, 00000005.00000002.921741260.000000000667A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: CRPR7mRha6.exe, 00000005.00000002.921741260.000000000667A000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: CRPR7mRha6.exe, 00000005.00000002.921741260.000000000667A000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: CRPR7mRha6.exe, 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: http://fdVpyC.com
                      Source: CRPR7mRha6.exe, 00000005.00000002.918563596.0000000002BC2000.00000004.00000001.sdmpString found in binary or memory: http://mail.privateemail.com
                      Source: CRPR7mRha6.exe, 00000005.00000002.921741260.000000000667A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: CRPR7mRha6.exe, 00000005.00000002.921741260.000000000667A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: CRPR7mRha6.exeString found in binary or memory: http://servermanager.miixit.org/
                      Source: CRPR7mRha6.exeString found in binary or memory: http://servermanager.miixit.org/E
                      Source: CRPR7mRha6.exeString found in binary or memory: http://servermanager.miixit.org/downloads/
                      Source: CRPR7mRha6.exeString found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=
                      Source: CRPR7mRha6.exeString found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=1
                      Source: CRPR7mRha6.exeString found in binary or memory: http://servermanager.miixit.org/index_ru.html
                      Source: CRPR7mRha6.exeString found in binary or memory: http://servermanager.miixit.org/index_ru.htmlk
                      Source: CRPR7mRha6.exeString found in binary or memory: http://servermanager.miixit.org/report/reporter_index.php?name=
                      Source: CRPR7mRha6.exe, 00000005.00000002.918495436.0000000002B71000.00000004.00000001.sdmp, CRPR7mRha6.exe, 00000005.00000002.918534814.0000000002BB8000.00000004.00000001.sdmp, CRPR7mRha6.exe, 00000005.00000002.918610328.0000000002BE4000.00000004.00000001.sdmpString found in binary or memory: https://3PTogUAbnV.net
                      Source: CRPR7mRha6.exe, 00000005.00000002.921741260.000000000667A000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: CRPR7mRha6.exeString found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC
                      Source: CRPR7mRha6.exe, 00000000.00000002.666204246.00000000040B1000.00000004.00000001.sdmp, CRPR7mRha6.exe, 00000005.00000002.917091302.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: CRPR7mRha6.exe, 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\CRPR7mRha6.exeJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.CRPR7mRha6.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA1A4F4A1u002d03A3u002d434Eu002dBF0Du002d68F541FFBB21u007d/u003669EB8DEu002dAABDu002d41F9u002d875Fu002d1941880520BA.csLarge array initialization: .cctor: array initializer size 11953
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0309C2B00_2_0309C2B0
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_030999680_2_03099968
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC8C300_2_0BAC8C30
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC92D00_2_0BAC92D0
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BACD2180_2_0BACD218
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BACA1480_2_0BACA148
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC303F0_2_0BAC303F
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC85500_2_0BAC8550
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC48000_2_0BAC4800
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC9D680_2_0BAC9D68
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC60800_2_0BAC6080
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC60D80_2_0BAC60D8
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC00060_2_0BAC0006
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC40680_2_0BAC4068
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC60620_2_0BAC6062
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC00400_2_0BAC0040
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC40580_2_0BAC4058
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC605B0_2_0BAC605B
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC47F00_2_0BAC47F0
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC37780_2_0BAC3778
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC37730_2_0BAC3773
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC45210_2_0BAC4521
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 0_2_0BAC45300_2_0BAC4530
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00C5F6B05_2_00C5F6B0
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00C5E2105_2_00C5E210
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00C5CE385_2_00C5CE38
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00C597585_2_00C59758
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00C537305_2_00C53730
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00C5A8D85_2_00C5A8D8
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00F860B05_2_00F860B0
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00F859295_2_00F85929
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00F834685_2_00F83468
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00F866985_2_00F86698
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00F8AF2B5_2_00F8AF2B
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_011C46A05_2_011C46A0
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_011C46735_2_011C4673
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_011C46905_2_011C4690
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_011CDA015_2_011CDA01
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NrdwACrrcHu.exe F6E14FBE48796831EF4B718774F7A8706DFB4B0694DFC79E13F9946F0302C125
                      Source: CRPR7mRha6.exe, 00000000.00000002.670829731.000000000C050000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000000.00000002.662320213.0000000000E1E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReader.exeF vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000000.00000002.667800047.00000000042F2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000000.00000002.666204246.00000000040B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdtozTzQyPHEAhYCEnHX.exe4 vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000000.00000002.670955078.000000000C140000.00000002.00000001.sdmpBinary or memory string: originalfilename vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000000.00000002.670955078.000000000C140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000000.00000002.665355925.0000000003149000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000005.00000002.919856112.0000000005170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000005.00000002.921134270.0000000006210000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000005.00000002.917994653.0000000000F50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000005.00000002.917091302.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameAdtozTzQyPHEAhYCEnHX.exe4 vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000005.00000002.917350011.00000000009C8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000005.00000000.660828511.000000000082E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReader.exeF vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000005.00000002.917820725.0000000000E5A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exe, 00000005.00000002.917437261.0000000000C60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs CRPR7mRha6.exe
                      Source: CRPR7mRha6.exeBinary or memory string: OriginalFilenameReader.exeF vs CRPR7mRha6.exe
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: CRPR7mRha6.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: CRPR7mRha6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: NrdwACrrcHu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 5.2.CRPR7mRha6.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.CRPR7mRha6.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@1/1
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile created: C:\Users\user\AppData\Roaming\NrdwACrrcHu.exeJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeMutant created: \Sessions\1\BaseNamedObjects\TakOvqvIFDzjqVTHCYDthy
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile created: C:\Users\user\AppData\Local\Temp\tmpDD35.tmpJump to behavior
                      Source: CRPR7mRha6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: CRPR7mRha6.exeVirustotal: Detection: 22%
                      Source: CRPR7mRha6.exeReversingLabs: Detection: 29%
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile read: C:\Users\user\Desktop\CRPR7mRha6.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\CRPR7mRha6.exe 'C:\Users\user\Desktop\CRPR7mRha6.exe'
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NrdwACrrcHu' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD35.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess created: C:\Users\user\Desktop\CRPR7mRha6.exe C:\Users\user\Desktop\CRPR7mRha6.exe
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NrdwACrrcHu' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD35.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess created: C:\Users\user\Desktop\CRPR7mRha6.exe C:\Users\user\Desktop\CRPR7mRha6.exeJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: CRPR7mRha6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: CRPR7mRha6.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: CRPR7mRha6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\XPabvvoOCZ\src\obj\Debug\Reader.pdb source: CRPR7mRha6.exe
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00C57E9A push 8BFFFFFFh; retf 5_2_00C57EA0
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00C50C75 push 686400C3h; ret 5_2_00C50C7A
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00C50B10 pushfd ; ret 5_2_00C50B11
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00F884B0 push ds; ret 5_2_00F8889A
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.89645373779
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.89645373779
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile created: C:\Users\user\AppData\Roaming\NrdwACrrcHu.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NrdwACrrcHu' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD35.tmp'
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CRPR7mRha6.exe PID: 6888, type: MEMORY
                      Source: Yara matchFile source: 0.2.CRPR7mRha6.exe.30e2ef0.1.raw.unpack, type: UNPACKEDPE
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeWindow / User API: threadDelayed 1298Jump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeWindow / User API: threadDelayed 8554Jump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exe TID: 6892Thread sleep time: -104451s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exe TID: 6892Thread sleep time: -40000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exe TID: 6912Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exe TID: 4824Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exe TID: 6132Thread sleep count: 1298 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exe TID: 6132Thread sleep count: 8554 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeThread delayed: delay time: 104451Jump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeThread delayed: delay time: 40000Jump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: CRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: CRPR7mRha6.exe, 00000005.00000002.921691151.000000000666A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeCode function: 5_2_00C5C798 LdrInitializeThunk,5_2_00C5C798
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeMemory written: C:\Users\user\Desktop\CRPR7mRha6.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NrdwACrrcHu' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD35.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeProcess created: C:\Users\user\Desktop\CRPR7mRha6.exe C:\Users\user\Desktop\CRPR7mRha6.exeJump to behavior
                      Source: CRPR7mRha6.exe, 00000005.00000002.918202048.0000000001570000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: CRPR7mRha6.exe, 00000005.00000002.918202048.0000000001570000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: CRPR7mRha6.exe, 00000005.00000002.918202048.0000000001570000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: CRPR7mRha6.exe, 00000005.00000002.918202048.0000000001570000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Users\user\Desktop\CRPR7mRha6.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Users\user\Desktop\CRPR7mRha6.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.917091302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.666204246.00000000040B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.CRPR7mRha6.exe.41cc268.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.CRPR7mRha6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CRPR7mRha6.exe.41cc268.3.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.917091302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.918444816.0000000002B36000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.666204246.00000000040B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CRPR7mRha6.exe PID: 7148, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CRPR7mRha6.exe PID: 6888, type: MEMORY
                      Source: Yara matchFile source: 0.2.CRPR7mRha6.exe.41cc268.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.CRPR7mRha6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CRPR7mRha6.exe.41cc268.3.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\CRPR7mRha6.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CRPR7mRha6.exe PID: 7148, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.917091302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.666204246.00000000040B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.CRPR7mRha6.exe.41cc268.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.CRPR7mRha6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CRPR7mRha6.exe.41cc268.3.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.917091302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.918444816.0000000002B36000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.666204246.00000000040B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CRPR7mRha6.exe PID: 7148, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CRPR7mRha6.exe PID: 6888, type: MEMORY
                      Source: Yara matchFile source: 0.2.CRPR7mRha6.exe.41cc268.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.CRPR7mRha6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CRPR7mRha6.exe.41cc268.3.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Deobfuscate/Decode Files or Information1Input Capture11System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSSecurity Software Discovery321Distributed Component Object ModelInput Capture11Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsProcess Discovery2SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion141VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion141DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 412513 Sample: CRPR7mRha6.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 7 other signatures 2->35 7 CRPR7mRha6.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...19rdwACrrcHu.exe, PE32 7->19 dropped 21 C:\Users\...21rdwACrrcHu.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmpDD35.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\...\CRPR7mRha6.exe.log, ASCII 7->25 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 Injects a PE file into a foreign processes 7->43 11 CRPR7mRha6.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 mail.privateemail.com 198.54.122.60, 49771, 587 NAMECHEAP-NETUS United States 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 2 other signatures 11->51 17 conhost.exe 15->17         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      CRPR7mRha6.exe23%VirustotalBrowse
                      CRPR7mRha6.exe30%ReversingLabsByteCode-MSIL.Trojan.Wacatac
                      CRPR7mRha6.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\NrdwACrrcHu.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\NrdwACrrcHu.exe30%ReversingLabsByteCode-MSIL.Trojan.Wacatac

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.CRPR7mRha6.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://3PTogUAbnV.net0%Avira URL Cloudsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://checkip.dyndns.org/0%VirustotalBrowse
                      http://checkip.dyndns.org/0%Avira URL Cloudsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://servermanager.miixit.org/hits/hit_index.php?k=10%Avira URL Cloudsafe
                      http://servermanager.miixit.org/E0%Avira URL Cloudsafe
                      http://servermanager.miixit.org/index_ru.html0%Avira URL Cloudsafe
                      http://fdVpyC.com0%Avira URL Cloudsafe
                      http://servermanager.miixit.org/report/reporter_index.php?name=0%Avira URL Cloudsafe
                      http://servermanager.miixit.org/0%Avira URL Cloudsafe
                      http://servermanager.miixit.org/index_ru.htmlk0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://servermanager.miixit.org/downloads/0%Avira URL Cloudsafe
                      http://servermanager.miixit.org/hits/hit_index.php?k=0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.privateemail.com
                      198.54.122.60
                      truefalse
                        high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#CRPR7mRha6.exe, 00000005.00000002.921741260.000000000667A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://127.0.0.1:HTTP/1.1CRPR7mRha6.exe, 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        http://DynDns.comDynDNSCRPR7mRha6.exe, 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://3PTogUAbnV.netCRPR7mRha6.exe, 00000005.00000002.918495436.0000000002B71000.00000004.00000001.sdmp, CRPR7mRha6.exe, 00000005.00000002.918534814.0000000002BB8000.00000004.00000001.sdmp, CRPR7mRha6.exe, 00000005.00000002.918610328.0000000002BE4000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://sectigo.com/CPS0CRPR7mRha6.exe, 00000005.00000002.921741260.000000000667A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://checkip.dyndns.org/CRPR7mRha6.exefalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        unknown
                        http://ocsp.sectigo.com0CRPR7mRha6.exe, 00000005.00000002.921741260.000000000667A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haCRPR7mRha6.exe, 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://servermanager.miixit.org/hits/hit_index.php?k=1CRPR7mRha6.exefalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPCCRPR7mRha6.exefalse
                          high
                          http://servermanager.miixit.org/ECRPR7mRha6.exefalse
                          • Avira URL Cloud: safe
                          unknown
                          http://servermanager.miixit.org/index_ru.htmlCRPR7mRha6.exefalse
                          • Avira URL Cloud: safe
                          unknown
                          http://fdVpyC.comCRPR7mRha6.exe, 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://servermanager.miixit.org/report/reporter_index.php?name=CRPR7mRha6.exefalse
                          • Avira URL Cloud: safe
                          unknown
                          http://servermanager.miixit.org/CRPR7mRha6.exefalse
                          • Avira URL Cloud: safe
                          unknown
                          http://mail.privateemail.comCRPR7mRha6.exe, 00000005.00000002.918563596.0000000002BC2000.00000004.00000001.sdmpfalse
                            high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpfalse
                              high
                              http://servermanager.miixit.org/index_ru.htmlkCRPR7mRha6.exefalse
                              • Avira URL Cloud: safe
                              unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipCRPR7mRha6.exe, 00000000.00000002.666204246.00000000040B1000.00000004.00000001.sdmp, CRPR7mRha6.exe, 00000005.00000002.917091302.0000000000402000.00000040.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssCRPR7mRha6.exe, 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmpfalse
                                high
                                http://servermanager.miixit.org/downloads/CRPR7mRha6.exefalse
                                • Avira URL Cloud: safe
                                unknown
                                http://servermanager.miixit.org/hits/hit_index.php?k=CRPR7mRha6.exefalse
                                • Avira URL Cloud: safe
                                unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                198.54.122.60
                                mail.privateemail.comUnited States
                                22612NAMECHEAP-NETUSfalse

                                General Information

                                Joe Sandbox Version:32.0.0 Black Diamond
                                Analysis ID:412513
                                Start date:12.05.2021
                                Start time:18:40:22
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 8m 50s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:CRPR7mRha6.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:22
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@6/4@1/1
                                EGA Information:Failed
                                HDC Information:Failed
                                HCA Information:
                                • Successful, ratio: 97%
                                • Number of executed functions: 84
                                • Number of non-executed functions: 17
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Excluded IPs from analysis (whitelisted): 40.88.32.150, 92.122.145.220, 20.82.209.104, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 2.20.143.16, 2.20.142.209, 20.82.210.154
                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                18:41:13API Interceptor769x Sleep call for process: CRPR7mRha6.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                198.54.122.60W9YDH79i8G.exeGet hashmaliciousBrowse
                                  Ko4zQgTBHv.exeGet hashmaliciousBrowse
                                    wed.docGet hashmaliciousBrowse
                                      ORDER CONFIRMATION.docGet hashmaliciousBrowse
                                        SecuriteInfo.com.Trojan.Packed2.43091.10004.exeGet hashmaliciousBrowse
                                          6e5c05e1_by_Libranalysis.exeGet hashmaliciousBrowse
                                            RFQ Plasma cutting machine.docGet hashmaliciousBrowse
                                              337840b9_by_Libranalysis.exeGet hashmaliciousBrowse
                                                vy38Kw9qRh.exeGet hashmaliciousBrowse
                                                  ePj6KfzLBxh4vbe.exeGet hashmaliciousBrowse
                                                    zkXpISzeo3.exeGet hashmaliciousBrowse
                                                      yl9KgwwOXDZoGMw.exeGet hashmaliciousBrowse
                                                        8DL3LHg4SB6Q7z2.exeGet hashmaliciousBrowse
                                                          01217a79_by_Libranalysis.exeGet hashmaliciousBrowse
                                                            5iRqi4LmLF.exeGet hashmaliciousBrowse
                                                              6f37L7HNqo.exeGet hashmaliciousBrowse
                                                                IqRG5ZzYOH.exeGet hashmaliciousBrowse
                                                                  PO 4302003683.docGet hashmaliciousBrowse
                                                                    Tender Overview 10052021.docGet hashmaliciousBrowse
                                                                      ORDER 10.05.docGet hashmaliciousBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        mail.privateemail.comW9YDH79i8G.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        Ko4zQgTBHv.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        wed.docGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        ORDER CONFIRMATION.docGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        SecuriteInfo.com.Trojan.Packed2.43091.10004.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        6e5c05e1_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        RFQ Plasma cutting machine.docGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        337840b9_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        vy38Kw9qRh.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        ePj6KfzLBxh4vbe.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        zkXpISzeo3.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        yl9KgwwOXDZoGMw.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        8DL3LHg4SB6Q7z2.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        01217a79_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        5iRqi4LmLF.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        6f37L7HNqo.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        IqRG5ZzYOH.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        PO 4302003683.docGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        Tender Overview 10052021.docGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        ORDER 10.05.docGet hashmaliciousBrowse
                                                                        • 198.54.122.60

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        NAMECHEAP-NETUSW9YDH79i8G.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        Ko4zQgTBHv.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        Purchase Order.exeGet hashmaliciousBrowse
                                                                        • 198.54.126.165
                                                                        wed.docGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        ORDER CONFIRMATION.docGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        SecuriteInfo.com.Trojan.Packed2.43091.10004.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        6e5c05e1_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        RFQ Plasma cutting machine.docGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        Order 122001-220 guanzo.exeGet hashmaliciousBrowse
                                                                        • 198.54.117.216
                                                                        main_setup_x86x64.exeGet hashmaliciousBrowse
                                                                        • 162.255.119.164
                                                                        00098765123POIIU.exeGet hashmaliciousBrowse
                                                                        • 199.192.23.253
                                                                        e8eRhf3GM0.xlsmGet hashmaliciousBrowse
                                                                        • 185.61.154.27
                                                                        2021_May_Quotation_pdf.exeGet hashmaliciousBrowse
                                                                        • 198.54.115.133
                                                                        337840b9_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                        • 198.54.122.60
                                                                        Citvonvhciktufwvyzyhistnewdjgsoqdr.exeGet hashmaliciousBrowse
                                                                        • 198.54.117.212
                                                                        Updated Order list -804333.exeGet hashmaliciousBrowse
                                                                        • 198.54.115.56
                                                                        NAVTECO_R1_10_05_2021,pdf.exeGet hashmaliciousBrowse
                                                                        • 198.54.117.212
                                                                        BELLOW FABRICATION Dwg.exeGet hashmaliciousBrowse
                                                                        • 199.188.200.15
                                                                        file.exeGet hashmaliciousBrowse
                                                                        • 198.54.115.133
                                                                        scan of document 5336227.xlsmGet hashmaliciousBrowse
                                                                        • 162.0.233.152

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        C:\Users\user\AppData\Roaming\NrdwACrrcHu.exeRFQ Plasma cutting machine.docGet hashmaliciousBrowse

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CRPR7mRha6.exe.log
                                                                          Process:C:\Users\user\Desktop\CRPR7mRha6.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):1314
                                                                          Entropy (8bit):5.350128552078965
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                          MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                          SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                          SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                          SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                          Malicious:true
                                                                          Reputation:high, very likely benign file
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                          C:\Users\user\AppData\Local\Temp\tmpDD35.tmp
                                                                          Process:C:\Users\user\Desktop\CRPR7mRha6.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1644
                                                                          Entropy (8bit):5.1776155209459285
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGxtn:cbhK79lNQR/rydbz9I3YODOLNdq3y
                                                                          MD5:75BE106FF3E1EAD5C068DC56C24B9C22
                                                                          SHA1:E87742D7C3BE84557999BB121725992FFD65E155
                                                                          SHA-256:972EFB267049BEECDE4F4E3B72EFA093329584E2F7B974207A2EE61AE8914966
                                                                          SHA-512:60D7ACCDE696038B1A8DECAD7670531BFF5701F26FD609A451BB73F607097F5EA01496FA29BA923BB08BFCD4B0A1F01B1E0C21631BF57DBFA072E61D02D27F3F
                                                                          Malicious:true
                                                                          Reputation:low
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                          C:\Users\user\AppData\Roaming\NrdwACrrcHu.exe
                                                                          Process:C:\Users\user\Desktop\CRPR7mRha6.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):976384
                                                                          Entropy (8bit):7.876183677169372
                                                                          Encrypted:false
                                                                          SSDEEP:12288:uNE5qL6Evo89A05qLy+EdGPoMGFZVNMjIpGVWu4t9eaY6VJFNMV5qLw:uNyI6jw9I+GPoMKVNMjIp2vstFsIw
                                                                          MD5:FEF29C7C85536DCFC68B4F9D7B77D038
                                                                          SHA1:4BBB5CE085C07C4D218EC21B9153C3961D151748
                                                                          SHA-256:F6E14FBE48796831EF4B718774F7A8706DFB4B0694DFC79E13F9946F0302C125
                                                                          SHA-512:65354D3B93B61D61ABE0794F8AB5B50BD72567D9DA1AC88C6BB9C927B2D646DE2D53C11FA045B8932A4D4B6CBB49A1D39605EC91BC382E1394EC97295905BE77
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 30%
                                                                          Joe Sandbox View:
                                                                          • Filename: RFQ Plasma cutting machine.doc, Detection: malicious, Browse
                                                                          Reputation:low
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%e.`..............P......8........... ........@.. .......................@............@.....................................O........4................... ......l................................................ ............... ..H............text........ ...................... ..`.rsrc....4.......6..................@..@.reloc....... ......................@..B........................H.......xr...............................................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....o....('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+..*.0......
                                                                          C:\Users\user\AppData\Roaming\NrdwACrrcHu.exe:Zone.Identifier
                                                                          Process:C:\Users\user\Desktop\CRPR7mRha6.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Reputation:high, very likely benign file
                                                                          Preview: [ZoneTransfer]....ZoneId=0

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.876183677169372
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          File name:CRPR7mRha6.exe
                                                                          File size:976384
                                                                          MD5:fef29c7c85536dcfc68b4f9d7b77d038
                                                                          SHA1:4bbb5ce085c07c4d218ec21b9153c3961d151748
                                                                          SHA256:f6e14fbe48796831ef4b718774f7a8706dfb4b0694dfc79e13f9946f0302c125
                                                                          SHA512:65354d3b93b61d61abe0794f8ab5b50bd72567d9da1ac88c6bb9c927b2d646de2d53c11fa045b8932a4d4b6cbb49a1d39605ec91bc382e1394ec97295905be77
                                                                          SSDEEP:12288:uNE5qL6Evo89A05qLy+EdGPoMGFZVNMjIpGVWu4t9eaY6VJFNMV5qLw:uNyI6jw9I+GPoMKVNMjIp2vstFsIw
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%e.`..............P......8........... ........@.. .......................@............@................................

                                                                          File Icon

                                                                          Icon Hash:f2d2e9fcc4ead362

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x4ecaf6
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                          Time Stamp:0x609B6525 [Wed May 12 05:18:29 2021 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v4.0.30319
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xecaa40x4f.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xee0000x3494.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xf20000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xec96c0x1c.text
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000xeaafc0xeac00False0.910296650359data7.89645373779IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0xee0000x34940x3600False0.360677083333data5.24129617498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0xf20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_ICON0xee1000x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                          RT_GROUP_ICON0xf06b80x14data
                                                                          RT_VERSION0xf06dc0x33cdata
                                                                          RT_MANIFEST0xf0a280xa65XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyrightCopyright 2013
                                                                          Assembly Version3.0.0.0
                                                                          InternalNameReader.exe
                                                                          FileVersion3.0.0.0
                                                                          CompanyName
                                                                          LegalTrademarks
                                                                          Comments
                                                                          ProductNameServerManager_Core
                                                                          ProductVersion3.0.0.0
                                                                          FileDescriptionServerManager_Core
                                                                          OriginalFilenameReader.exe

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 12, 2021 18:42:59.036103010 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:42:59.226594925 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:42:59.226876974 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:42:59.418620110 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:42:59.419317961 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:42:59.609209061 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:42:59.609463930 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:42:59.609944105 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:42:59.799822092 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:42:59.850060940 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:42:59.880184889 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:00.070482969 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:00.071881056 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:00.071927071 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:00.071964025 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:00.072026014 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:00.072141886 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:00.072185993 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:00.101435900 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:00.291613102 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:00.293498993 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:00.334599018 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:00.567238092 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:00.757567883 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:00.758194923 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:00.760538101 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:00.950436115 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:00.951421976 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:00.952045918 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:01.141944885 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:01.144304991 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:01.145651102 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:01.335634947 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:01.338243961 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:01.338982105 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:01.529109955 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:01.561570883 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:01.562120914 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:01.752135038 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:01.752588987 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:01.755343914 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:01.755575895 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:01.756513119 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:01.756659031 CEST49771587192.168.2.4198.54.122.60
                                                                          May 12, 2021 18:43:01.945215940 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:01.945422888 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:01.946331024 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:01.946445942 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:02.048051119 CEST58749771198.54.122.60192.168.2.4
                                                                          May 12, 2021 18:43:02.100208998 CEST49771587192.168.2.4198.54.122.60

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          May 12, 2021 18:41:03.409503937 CEST53530978.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:06.001240015 CEST4925753192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:06.053930998 CEST53492578.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:06.849554062 CEST6238953192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:06.901262045 CEST53623898.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:07.144414902 CEST4991053192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:07.204487085 CEST53499108.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:07.821753979 CEST5585453192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:07.873457909 CEST53558548.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:09.178797007 CEST6454953192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:09.230251074 CEST53645498.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:10.047784090 CEST6315353192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:10.097213030 CEST53631538.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:10.932950974 CEST5299153192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:10.982394934 CEST53529918.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:12.541414976 CEST5370053192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:12.590150118 CEST53537008.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:13.506570101 CEST5172653192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:13.555785894 CEST53517268.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:14.945877075 CEST5679453192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:14.994628906 CEST53567948.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:15.741204023 CEST5653453192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:15.792881966 CEST53565348.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:16.585277081 CEST5662753192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:16.634048939 CEST53566278.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:17.545312881 CEST5662153192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:17.594043016 CEST53566218.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:18.336833954 CEST6311653192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:18.389944077 CEST53631168.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:20.369187117 CEST6407853192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:20.417994976 CEST53640788.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:21.323846102 CEST6480153192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:21.372611046 CEST53648018.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:22.152230978 CEST6172153192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:22.200800896 CEST53617218.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:22.947107077 CEST5125553192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:22.997580051 CEST53512558.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:23.819732904 CEST6152253192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:23.871279001 CEST53615228.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:33.682137966 CEST5233753192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:33.751017094 CEST53523378.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:39.326792002 CEST5504653192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:39.387689114 CEST53550468.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:51.787441015 CEST4961253192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:51.931333065 CEST53496128.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:52.548360109 CEST4928553192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:52.677354097 CEST53492858.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:53.351687908 CEST5060153192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:53.419094086 CEST53506018.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:53.448940039 CEST6087553192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:53.509237051 CEST53608758.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:54.054205894 CEST5644853192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:54.112636089 CEST53564488.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:54.755669117 CEST5917253192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:54.814783096 CEST53591728.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:55.421421051 CEST6242053192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:55.480340958 CEST53624208.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:56.073868990 CEST6057953192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:56.135301113 CEST53605798.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:57.465068102 CEST5018353192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:57.516727924 CEST53501838.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:58.462858915 CEST6153153192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:58.523763895 CEST53615318.8.8.8192.168.2.4
                                                                          May 12, 2021 18:41:59.237003088 CEST4922853192.168.2.48.8.8.8
                                                                          May 12, 2021 18:41:59.294154882 CEST53492288.8.8.8192.168.2.4
                                                                          May 12, 2021 18:42:02.080977917 CEST5979453192.168.2.48.8.8.8
                                                                          May 12, 2021 18:42:02.129935026 CEST53597948.8.8.8192.168.2.4
                                                                          May 12, 2021 18:42:10.213493109 CEST5591653192.168.2.48.8.8.8
                                                                          May 12, 2021 18:42:10.270724058 CEST53559168.8.8.8192.168.2.4
                                                                          May 12, 2021 18:42:10.538963079 CEST5275253192.168.2.48.8.8.8
                                                                          May 12, 2021 18:42:10.616045952 CEST53527528.8.8.8192.168.2.4
                                                                          May 12, 2021 18:42:12.800308943 CEST6054253192.168.2.48.8.8.8
                                                                          May 12, 2021 18:42:12.862032890 CEST53605428.8.8.8192.168.2.4
                                                                          May 12, 2021 18:42:45.151757956 CEST6068953192.168.2.48.8.8.8
                                                                          May 12, 2021 18:42:45.225744963 CEST53606898.8.8.8192.168.2.4
                                                                          May 12, 2021 18:42:47.729734898 CEST6420653192.168.2.48.8.8.8
                                                                          May 12, 2021 18:42:47.787163019 CEST53642068.8.8.8192.168.2.4
                                                                          May 12, 2021 18:42:58.861352921 CEST5090453192.168.2.48.8.8.8
                                                                          May 12, 2021 18:42:58.910320997 CEST53509048.8.8.8192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          May 12, 2021 18:42:58.861352921 CEST192.168.2.48.8.8.80xec91Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          May 12, 2021 18:42:58.910320997 CEST8.8.8.8192.168.2.40xec91No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)

                                                                          SMTP Packets

                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                          May 12, 2021 18:42:59.418620110 CEST58749771198.54.122.60192.168.2.4220 PrivateEmail.com Mail Node
                                                                          May 12, 2021 18:42:59.419317961 CEST49771587192.168.2.4198.54.122.60EHLO 928100
                                                                          May 12, 2021 18:42:59.609463930 CEST58749771198.54.122.60192.168.2.4250-MTA-06.privateemail.com
                                                                          250-PIPELINING
                                                                          250-SIZE 81788928
                                                                          250-ETRN
                                                                          250-AUTH PLAIN LOGIN
                                                                          250-ENHANCEDSTATUSCODES
                                                                          250-8BITMIME
                                                                          250 STARTTLS
                                                                          May 12, 2021 18:42:59.609944105 CEST49771587192.168.2.4198.54.122.60STARTTLS
                                                                          May 12, 2021 18:42:59.799822092 CEST58749771198.54.122.60192.168.2.4220 Ready to start TLS

                                                                          Code Manipulations

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Start time:18:41:10
                                                                          Start date:12/05/2021
                                                                          Path:C:\Users\user\Desktop\CRPR7mRha6.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\CRPR7mRha6.exe'
                                                                          Imagebase:0xd30000
                                                                          File size:976384 bytes
                                                                          MD5 hash:FEF29C7C85536DCFC68B4F9D7B77D038
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.666204246.00000000040B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.666204246.00000000040B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.665014929.00000000030B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          General

                                                                          Start time:18:41:15
                                                                          Start date:12/05/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NrdwACrrcHu' /XML 'C:\Users\user\AppData\Local\Temp\tmpDD35.tmp'
                                                                          Imagebase:0xc0000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:18:41:15
                                                                          Start date:12/05/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Start time:18:41:16
                                                                          Start date:12/05/2021
                                                                          Path:C:\Users\user\Desktop\CRPR7mRha6.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\CRPR7mRha6.exe
                                                                          Imagebase:0x740000
                                                                          File size:976384 bytes
                                                                          MD5 hash:FEF29C7C85536DCFC68B4F9D7B77D038
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.917091302.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.917091302.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.918444816.0000000002B36000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.918280450.0000000002A81000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >

                                                                            Executed Functions

                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $%&l
                                                                            • API String ID: 0-3075001641
                                                                            • Opcode ID: 0148b624eb18c4dab51a8b917ebbfd9d55875c88303e8d3c9cb847410c1060a9
                                                                            • Instruction ID: 6431b0c70c4279f99c2dc64ab2af44608a2b72a2c4b60fa1aa1c08837c275365
                                                                            • Opcode Fuzzy Hash: 0148b624eb18c4dab51a8b917ebbfd9d55875c88303e8d3c9cb847410c1060a9
                                                                            • Instruction Fuzzy Hash: D1328674B012049FEB19DB69C550BABB7F6AF88204F2084BEE546DB3A4CB35E801CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6c5c5aeaed34f5ca928c092ae21fc5cd6694eadd8f114825ff581c1ed47e8263
                                                                            • Instruction ID: 5b549bdc94f8ee3bb10f791f85dc439ee891f324a6643608222bd4650ae026fa
                                                                            • Opcode Fuzzy Hash: 6c5c5aeaed34f5ca928c092ae21fc5cd6694eadd8f114825ff581c1ed47e8263
                                                                            • Instruction Fuzzy Hash: 37D13A70E162199FDF04CFA4D945AEEFBF2FB8D300F209429E515BB294E77599018B28
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 504a0c440049872fcd83dced9195e328ce15f451a32d6809a69a56e830f1c716
                                                                            • Instruction ID: 8f43b019f63ab3e885f8a9f646a5e3ab511998d9d48ef5eb5153e2546c2ca9c3
                                                                            • Opcode Fuzzy Hash: 504a0c440049872fcd83dced9195e328ce15f451a32d6809a69a56e830f1c716
                                                                            • Instruction Fuzzy Hash: 4781E274E102199FCF04DFA5D9459EEBFB2FF89300F20946AE816AB354DB3569018F54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fd71437d711810c45083c2ab5c34a9c95bfe3dcfd370da8e070f48b220716dcf
                                                                            • Instruction ID: a9b23f36c75fabf1b4c42dbd0a73f09e1f123f378e452c7e0fa305f6903d882f
                                                                            • Opcode Fuzzy Hash: fd71437d711810c45083c2ab5c34a9c95bfe3dcfd370da8e070f48b220716dcf
                                                                            • Instruction Fuzzy Hash: 9E714471E0462DCBDB28CF66CC407EABBB6BB89300F10D5AAD519B7214EB715A858F14
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bf8b708de03575ff95ba152f6feb9f28222ea855bd542ad24068c8f2ebfc22a1
                                                                            • Instruction ID: d58ea3dffdf89620320c7a6f5fb11490c831ab7e91b91c02fc347c6a551cb93b
                                                                            • Opcode Fuzzy Hash: bf8b708de03575ff95ba152f6feb9f28222ea855bd542ad24068c8f2ebfc22a1
                                                                            • Instruction Fuzzy Hash: 82414970E15218DBCB08CFA5D9845EEFBF2FB8D611F14942AE406B7254EB7898018B28
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 07db612905f96a167beaaad749bd2969583482c7300461c20e937f82f8eb455e
                                                                            • Instruction ID: 15a1ef8fa96d5cc4fb9ce74966e1769ecd135a5091a14263c90d02ec864be216
                                                                            • Opcode Fuzzy Hash: 07db612905f96a167beaaad749bd2969583482c7300461c20e937f82f8eb455e
                                                                            • Instruction Fuzzy Hash: 6341A2B1E113088FDF08CFAAC94569DFFF6AF85200F14C5AAC819AB359EA305902CB55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a098089b248b23a6a2aaa35773c55544c62468c4c9711a52d5abf5607d50cd62
                                                                            • Instruction ID: 460489be3e7c1b422bb80e3923799c2e4a8cf7b7522aeffb43e5176f4f7ef34e
                                                                            • Opcode Fuzzy Hash: a098089b248b23a6a2aaa35773c55544c62468c4c9711a52d5abf5607d50cd62
                                                                            • Instruction Fuzzy Hash: 8E111830D042588FDB15CFA6C418BEEBAF1FB4E311F189069D059B7290DB748944CBA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0BAC725E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateProcess
                                                                            • String ID:
                                                                            • API String ID: 963392458-0
                                                                            • Opcode ID: aa461f7f1fa71149e8681d1d0366d3d4310a2f352437cc3670c5fb20fdcc25dc
                                                                            • Instruction ID: 9cc65e0f281348b2eb940fef0e377001eade584517fadfddedd1ee432c35b290
                                                                            • Opcode Fuzzy Hash: aa461f7f1fa71149e8681d1d0366d3d4310a2f352437cc3670c5fb20fdcc25dc
                                                                            • Instruction Fuzzy Hash: 85915C71E00259CFDF24CFA9C841BEEBBB2BB48314F0585A9E819A7350DB749985CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0BAC725E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateProcess
                                                                            • String ID:
                                                                            • API String ID: 963392458-0
                                                                            • Opcode ID: a40f4d753d5f3c242e2446d26b62393910e711d85c14fd43ec99dfd4aa58ec42
                                                                            • Instruction ID: bacee4ded9c829028b558dd3b3ec80b73b3420fa145cbff7e0363b628ad0b49f
                                                                            • Opcode Fuzzy Hash: a40f4d753d5f3c242e2446d26b62393910e711d85c14fd43ec99dfd4aa58ec42
                                                                            • Instruction Fuzzy Hash: 0A915C71E002199FDF24CFA9C841BDEBBB2BB48314F1485A9E819A7350DB749985CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.664968892.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: bc4bc3d2894d8b43d78aca5266cbcecf26fb212888eb553fe4a3d85a554794cd
                                                                            • Instruction ID: 4bd1b2c1ed9068d8b765967489bb70fd053f2a4ac944036d81b374a6a3270414
                                                                            • Opcode Fuzzy Hash: bc4bc3d2894d8b43d78aca5266cbcecf26fb212888eb553fe4a3d85a554794cd
                                                                            • Instruction Fuzzy Hash: 6B7146B0A01B058FEB64DF2AD04479AB7F5FF88214F04892ED48ADBA40DB75E805CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0309DD8A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.664968892.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: 381cf9abe80a343e01d4541f370ac2ce1695cc2b9c3b47f602bb4917bde16597
                                                                            • Instruction ID: 563c4a509da6e0c866c76e788e3ee7e7e9eb44430980e01e8806c92a60b5d124
                                                                            • Opcode Fuzzy Hash: 381cf9abe80a343e01d4541f370ac2ce1695cc2b9c3b47f602bb4917bde16597
                                                                            • Instruction Fuzzy Hash: FD6111B1C01249AFDF02CFA5C980ADEBFB2BF49310F18816AE814AB221D3719945DF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0309DD8A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.664968892.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: 719ef15f6ca97f4e50255b35fcd015bc45e8f12ee19bd17934651ed2688778a8
                                                                            • Instruction ID: 4113f447dc70734d4ea525cc9274876c591eb3bf4a0d2feaa1c75711c731c618
                                                                            • Opcode Fuzzy Hash: 719ef15f6ca97f4e50255b35fcd015bc45e8f12ee19bd17934651ed2688778a8
                                                                            • Instruction Fuzzy Hash: E951AEB1D01249DFDF14CFA9C884ADEFBB5BF88314F24812AE819AB250D7749945CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,03096D8E,?,?,?,?,?), ref: 03096E4F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.664968892.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: aec7ee9e05c0ec20cf0fa6150fa04ee6e00e226bb2db7a81efc9ae4f8a32ce25
                                                                            • Instruction ID: 89fa761dd09424a25b6758259e6c25672ba6fbabd404569b971a91154f6175d7
                                                                            • Opcode Fuzzy Hash: aec7ee9e05c0ec20cf0fa6150fa04ee6e00e226bb2db7a81efc9ae4f8a32ce25
                                                                            • Instruction Fuzzy Hash: 15414776900249AFCF01CF99D884ADEBFF9FB89320F14805AE914A7311D775A914DFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0BAC6E30
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: MemoryProcessWrite
                                                                            • String ID:
                                                                            • API String ID: 3559483778-0
                                                                            • Opcode ID: 707f4b07f0b971a28659890c18f55cc3d1a12e7add9ef5eeba11015785a12ede
                                                                            • Instruction ID: 2eb40239ea4e6ea60320a5b85e49fe341d940ef4c689e7dd92409288f311d8eb
                                                                            • Opcode Fuzzy Hash: 707f4b07f0b971a28659890c18f55cc3d1a12e7add9ef5eeba11015785a12ede
                                                                            • Instruction Fuzzy Hash: 462127B19003499FCF10CFA9C884BDEBBF5FF48314F00842AE958A7240D7789954CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0BAC6E30
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: MemoryProcessWrite
                                                                            • String ID:
                                                                            • API String ID: 3559483778-0
                                                                            • Opcode ID: cf54411089f8090f4505c541ed42742e720749f9f8d266ded187ccd22699a088
                                                                            • Instruction ID: 1553373af08bcd497d3d8f66371bb15746b96c76fa64750bfcfec8e569c3b899
                                                                            • Opcode Fuzzy Hash: cf54411089f8090f4505c541ed42742e720749f9f8d266ded187ccd22699a088
                                                                            • Instruction Fuzzy Hash: 5E2146B19003498FCF10CFA9C8807EEBBF1BF48314F14842AE918A7240C7789955CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,03096D8E,?,?,?,?,?), ref: 03096E4F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.664968892.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 5ca7e47cfa9fb2ccfd646ba0aaa869b2c7a36ee97612d8b2993c0be12cb48375
                                                                            • Instruction ID: 4b30dd79d6b7ecf0f75877976c704555d3d49a8de683817511d06789fc067206
                                                                            • Opcode Fuzzy Hash: 5ca7e47cfa9fb2ccfd646ba0aaa869b2c7a36ee97612d8b2993c0be12cb48375
                                                                            • Instruction Fuzzy Hash: 9521D2B590124C9FDF10CFA9D884ADEFBF8FB48324F14841AE914A3210D379A954CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,03096D8E,?,?,?,?,?), ref: 03096E4F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.664968892.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: b8ff533906b45879a0641cabe4e6481cca05ec256f3402a09ff90ead5edd1451
                                                                            • Instruction ID: 09919caad03a677cbba3f6399e96900fe3de959bd5d615f85dee03e769659363
                                                                            • Opcode Fuzzy Hash: b8ff533906b45879a0641cabe4e6481cca05ec256f3402a09ff90ead5edd1451
                                                                            • Instruction Fuzzy Hash: 3121D2B59012489FDB10CFA9D884ADEBBF8FB48324F14801AE914A3211D374A954CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0BAC6F10
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: MemoryProcessRead
                                                                            • String ID:
                                                                            • API String ID: 1726664587-0
                                                                            • Opcode ID: 8b2eabe38c6e65baccd60c9cbe717fcee85e0c3c393578ffe22b1af532b263eb
                                                                            • Instruction ID: 8a8cebe1a78131344805af9181948b015039f13eb86329874828c314b6410455
                                                                            • Opcode Fuzzy Hash: 8b2eabe38c6e65baccd60c9cbe717fcee85e0c3c393578ffe22b1af532b263eb
                                                                            • Instruction Fuzzy Hash: BD2125B1D002499FCF10CFAAC984BEEFBB5FF48314F51842AE958A7240D7389955CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0BAC6F10
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: MemoryProcessRead
                                                                            • String ID:
                                                                            • API String ID: 1726664587-0
                                                                            • Opcode ID: 7cb91cd7d22a8b610ccfcb70eeed7509f6e1023aeb8df1067b04b29378f162c1
                                                                            • Instruction ID: 1a28dc353caf4ee060f544e77026045bbea8c7eb0837d61b2abd26ab60a9d55c
                                                                            • Opcode Fuzzy Hash: 7cb91cd7d22a8b610ccfcb70eeed7509f6e1023aeb8df1067b04b29378f162c1
                                                                            • Instruction Fuzzy Hash: 8621E4B19002599FCF10CFAAC884AEEFBB5FF48354F50842AE959A7240D7789954CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 0BAC6C86
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ContextThread
                                                                            • String ID:
                                                                            • API String ID: 1591575202-0
                                                                            • Opcode ID: 465b0bf094aa68deb8e4f42bdfa50480159828a7383077f28e4eb05c95a2f792
                                                                            • Instruction ID: 627cdc07eab82dbfbff98ff6148cbe9f5a6c54b1f183756b36afb4ebe87c8f9d
                                                                            • Opcode Fuzzy Hash: 465b0bf094aa68deb8e4f42bdfa50480159828a7383077f28e4eb05c95a2f792
                                                                            • Instruction Fuzzy Hash: 5A2137B19042098FCB10CFAAC4847EFBBF4EB88214F148429D519A7241DB78A945CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 0BAC6C86
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ContextThread
                                                                            • String ID:
                                                                            • API String ID: 1591575202-0
                                                                            • Opcode ID: 1e56180a1401f5d866bb9485618be9de49be0e37e733f6fc95570a372a48f167
                                                                            • Instruction ID: 15771f52f086bf02baa7df63db3a07f12c1a816d94260f9607e25a6206b415e6
                                                                            • Opcode Fuzzy Hash: 1e56180a1401f5d866bb9485618be9de49be0e37e733f6fc95570a372a48f167
                                                                            • Instruction Fuzzy Hash: 7C2138B1D042098FCB10CFA9C4847EEBBF4EF48224F14842ED519B7241DB78A945CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0BAC27CB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: 22f4e56f69df2900cfce1982d5a0a985d909bfbf78683dbbb08dbf4f248dd28e
                                                                            • Instruction ID: 20e8952d1a580d994d2bab2826181891ab50393fece3105baa035914c5ed5f4b
                                                                            • Opcode Fuzzy Hash: 22f4e56f69df2900cfce1982d5a0a985d909bfbf78683dbbb08dbf4f248dd28e
                                                                            • Instruction Fuzzy Hash: 9421D6B59002499FDB10CF9AC584BDEFBF4BB48320F148469E868A7250D378A545CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0BAC27CB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: 7d661e856deb8ba1447c736979e73dd320145046f70df45101b7786d8319ec27
                                                                            • Instruction ID: 214073f227ed2c9bc31a8f649cadc0250c73b60f7a01cb32feea2a3c3bd64456
                                                                            • Opcode Fuzzy Hash: 7d661e856deb8ba1447c736979e73dd320145046f70df45101b7786d8319ec27
                                                                            • Instruction Fuzzy Hash: EC21E4B59002499FDB10CF9AC884BDFFBF4FB48320F108429E968A7240D378A945CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0309BE89,00000800,00000000,00000000), ref: 0309C09A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.664968892.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: add51e65e45679141015b7d2e7c846a80d92c0c7bdc73a08b7b28918ba1d061b
                                                                            • Instruction ID: 9fa4e4d26f0e52a36e9ff047857f3a2d69a5e5df01dfb99b1071a541057a504a
                                                                            • Opcode Fuzzy Hash: add51e65e45679141015b7d2e7c846a80d92c0c7bdc73a08b7b28918ba1d061b
                                                                            • Instruction Fuzzy Hash: 261114B2D012498FEB24CF9AC484BDEFBF4EB88354F05842ED915A7200C775A945CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0BAC6D4E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 7426b09ebf94902f58dc54fc8270bfe2c9f2312841a27d444ffe0f89f73b23ab
                                                                            • Instruction ID: 33823befcacd412645fc097fadabdc1af69fbffdc7631b99a5db418f9323b387
                                                                            • Opcode Fuzzy Hash: 7426b09ebf94902f58dc54fc8270bfe2c9f2312841a27d444ffe0f89f73b23ab
                                                                            • Instruction Fuzzy Hash: 931107B19002499FCF10DFAAD844BDFFBF5AF88324F148419D525A7250C775A954CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0309BE89,00000800,00000000,00000000), ref: 0309C09A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.664968892.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: decca5d5606f47282070c4ab7cb93f64352013e599d96a1800426826a789a057
                                                                            • Instruction ID: 73612302c4939acd1cac132257f89e22d7c2c62f4d4fc84d2c78ac00e02c76df
                                                                            • Opcode Fuzzy Hash: decca5d5606f47282070c4ab7cb93f64352013e599d96a1800426826a789a057
                                                                            • Instruction Fuzzy Hash: E811E4B6D012498FDB10CFAAC584BDEFBF4AB88314F15852AD515B7600C375A545CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0BAC6D4E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 81d9e563da2e767820814c48bfe363207aa1e24df44f9b33afa332716a06ec3d
                                                                            • Instruction ID: 824dbe9e2b556fea87d624440e983a642c52a1757446c63c8ec421388f0a857b
                                                                            • Opcode Fuzzy Hash: 81d9e563da2e767820814c48bfe363207aa1e24df44f9b33afa332716a06ec3d
                                                                            • Instruction Fuzzy Hash: DD1164B29002488FCF10CFA9D844BEFFBF5AF88314F14882AD925A7250C735A954CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0309BBDB), ref: 0309BE0E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.664968892.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: ba82c26a2b3b8454bbf9023d953ef3fdd9802e206b2859e5af74927538adf85a
                                                                            • Instruction ID: 37472a57aab83963e5b55837e87d9c78c0c180e74a82ce9155330b5060b8c9bb
                                                                            • Opcode Fuzzy Hash: ba82c26a2b3b8454bbf9023d953ef3fdd9802e206b2859e5af74927538adf85a
                                                                            • Instruction Fuzzy Hash: 9C1113B1D052498FDB24CF9AD444BDFFBF8EF88224F14842AD929A7200D374A945CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ResumeThread
                                                                            • String ID:
                                                                            • API String ID: 947044025-0
                                                                            • Opcode ID: b8e48a43a43b39067d9e3f17e0550654356faa054008e3a5b295e9aab9e9aab1
                                                                            • Instruction ID: cef90649083b833fcfcae3f19e481f606d0afd2fb004b77f0fff71f36cd47c88
                                                                            • Opcode Fuzzy Hash: b8e48a43a43b39067d9e3f17e0550654356faa054008e3a5b295e9aab9e9aab1
                                                                            • Instruction Fuzzy Hash: B51136B1D002488BCB10DFAAC4447DFFBF8AB88324F14842DC529A7340CB79A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ResumeThread
                                                                            • String ID:
                                                                            • API String ID: 947044025-0
                                                                            • Opcode ID: 6b55ac6d177cd283d0abf4c71533c0b9fdd1662f173be7d19535d9fdb3ff1193
                                                                            • Instruction ID: bf4c805a24ceb33f4dee1c7053ce36ee683079fc3a5fbb8987a20ebbd18ae508
                                                                            • Opcode Fuzzy Hash: 6b55ac6d177cd283d0abf4c71533c0b9fdd1662f173be7d19535d9fdb3ff1193
                                                                            • Instruction Fuzzy Hash: C81136B1D002498BCB10DFAAD4447EFFBF4AF88224F15882AC529B7740D778A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0309DEA8,?,?,?,?), ref: 0309DF1D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.664968892.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: LongWindow
                                                                            • String ID:
                                                                            • API String ID: 1378638983-0
                                                                            • Opcode ID: 3dcf0cb5445b95acb80e72f35bf56750ca2b8c19f8ff824c62221ae5339784ef
                                                                            • Instruction ID: 2741de286879a91d6d4323e1534c20e12895abc47249c3b3e6d39ca0099ca15a
                                                                            • Opcode Fuzzy Hash: 3dcf0cb5445b95acb80e72f35bf56750ca2b8c19f8ff824c62221ae5339784ef
                                                                            • Instruction Fuzzy Hash: 1211FEB59042499FDB20DF9AD489BDEFBF8EB88320F10845AE915A7200C374A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0309DEA8,?,?,?,?), ref: 0309DF1D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.664968892.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false
                                                                            Similarity
                                                                            • API ID: LongWindow
                                                                            • String ID:
                                                                            • API String ID: 1378638983-0
                                                                            • Opcode ID: 2e56aeabee017ae700e5f3b31d6d787083edf5a9e9e3192d81f2ed890261f148
                                                                            • Instruction ID: e00cc9f644606db76b5b80062fc779e458efe1509933411d0c6a73b651850cef
                                                                            • Opcode Fuzzy Hash: 2e56aeabee017ae700e5f3b31d6d787083edf5a9e9e3192d81f2ed890261f148
                                                                            • Instruction Fuzzy Hash: 1411F2B59002499FDB10DF99D489BDEFBF8EB88320F14841AE915A7300C374A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • PostMessageW.USER32(?,?,?,?), ref: 0BACC18D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: MessagePost
                                                                            • String ID:
                                                                            • API String ID: 410705778-0
                                                                            • Opcode ID: dec89387ed4086d9f7b7331bbc2502bdfc71c819658dcaf5545e937b7f91db49
                                                                            • Instruction ID: 075132c143aa4205e56c49ecda2f268e52857bba6413d4e2d366f8d865a33746
                                                                            • Opcode Fuzzy Hash: dec89387ed4086d9f7b7331bbc2502bdfc71c819658dcaf5545e937b7f91db49
                                                                            • Instruction Fuzzy Hash: 8511D3B59002499FDB10CF9AD884BDFFBF8FB48324F10845AD918A7200D374A544CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Mb1?
                                                                            • API String ID: 0-1934780989
                                                                            • Opcode ID: 6417c549d3cc569f63164e94700c82865d90cb35d6bfcc024ed8e0e372243cf9
                                                                            • Instruction ID: 735b1e5abce935a8f4faffe5de3c3670e999f4bc3a2da5a8e33a1e7b11d32c74
                                                                            • Opcode Fuzzy Hash: 6417c549d3cc569f63164e94700c82865d90cb35d6bfcc024ed8e0e372243cf9
                                                                            • Instruction Fuzzy Hash: 4BB134B4E05259DFCF08CFA9C59159EFBF2BF88310F14C52AD419AB314EB3499428B69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Mb1?
                                                                            • API String ID: 0-1934780989
                                                                            • Opcode ID: da036234f0692a98d8e7c6944cf5668e787f3f81e5859502f94c2dace77c2a89
                                                                            • Instruction ID: a30637dbfd9b8f79d5bce3708d9dc407606de62a6edf406ad4300c62312b0f13
                                                                            • Opcode Fuzzy Hash: da036234f0692a98d8e7c6944cf5668e787f3f81e5859502f94c2dace77c2a89
                                                                            • Instruction Fuzzy Hash: 51A147B4E05259DFCF08CFA9C59159EFBF2BF88300F14C52AD419AB314EB3499428B69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: :kK
                                                                            • API String ID: 0-3269981907
                                                                            • Opcode ID: f475019fcb63af3c6844fa971bbb6e14ed4dd470de082c609a7ec6b105cc1cf1
                                                                            • Instruction ID: 75652414afe67abb0916ee8d59d6839abefb93c05a1ef422a95832d3b5844b6c
                                                                            • Opcode Fuzzy Hash: f475019fcb63af3c6844fa971bbb6e14ed4dd470de082c609a7ec6b105cc1cf1
                                                                            • Instruction Fuzzy Hash: F3613770E0424A9FDF04CFAAC450AAFFBF2AB8D310F14D529D515AB354DB3499418FA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: :kK
                                                                            • API String ID: 0-3269981907
                                                                            • Opcode ID: a33162f43f207c3fed3a40001496d9b3bc3841836a15e0f19b680b389252ecb3
                                                                            • Instruction ID: 72b677a2add6b1a24d127191ac089008b1a865b9b0079989762edd94d82bbae7
                                                                            • Opcode Fuzzy Hash: a33162f43f207c3fed3a40001496d9b3bc3841836a15e0f19b680b389252ecb3
                                                                            • Instruction Fuzzy Hash: D76127B0E0424A9FDF04CFA9C591AAFFBF2AF89310F14D42AD515AB354DB3499418FA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 6q7
                                                                            • API String ID: 0-245043669
                                                                            • Opcode ID: e14c78a2225f8dc300f9b3611262bcb5e4ab84c38518ccd63770d2a043e03af0
                                                                            • Instruction ID: 418bb0c875d14dc6f97be20147e615ec67490c86e937e05554a5259c67d9a9ee
                                                                            • Opcode Fuzzy Hash: e14c78a2225f8dc300f9b3611262bcb5e4ab84c38518ccd63770d2a043e03af0
                                                                            • Instruction Fuzzy Hash: 3E517F71E056588FDB19CF6B8D4468AFFF3AFC9200F19C1FA854CAA265EB3409468F11
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 6q7
                                                                            • API String ID: 0-245043669
                                                                            • Opcode ID: 199869a59021dcf261bb97b0c926e969b72e36c60d4bcbc7dc8ddca7fcc97b5f
                                                                            • Instruction ID: 1cd79043d3897aa2437ad428a4787037fedfcd4ad94ec43ecee6088805f1822b
                                                                            • Opcode Fuzzy Hash: 199869a59021dcf261bb97b0c926e969b72e36c60d4bcbc7dc8ddca7fcc97b5f
                                                                            • Instruction Fuzzy Hash: 3B414E71E056588BEB28CF6B8D4579EFBF7BFC8301F14C1BA950CA6214EB340A468E11
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.664968892.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: acd40340f24af6ed9bd039a8967c93f958c1fce48914f5f4f13cc15c18e25ad1
                                                                            • Instruction ID: 036d0b938049c69de9276ef6bf0ef99c1e91a6b5b7dfd88ad85868232ba27865
                                                                            • Opcode Fuzzy Hash: acd40340f24af6ed9bd039a8967c93f958c1fce48914f5f4f13cc15c18e25ad1
                                                                            • Instruction Fuzzy Hash: AE525AB1921706CBE718CF14E48A19D7FE1FB4131DB90421AE2629FAD0EBB4654EEF44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.664968892.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d56711cd5dfcd8ebbff64a72d8b0e0edf3c6b4f8ccbcc1550822727f8a53cd46
                                                                            • Instruction ID: f9ee64bb19acebf848f900dc9e5929901ae27f51e3d2deed68e2c95cced2fa04
                                                                            • Opcode Fuzzy Hash: d56711cd5dfcd8ebbff64a72d8b0e0edf3c6b4f8ccbcc1550822727f8a53cd46
                                                                            • Instruction Fuzzy Hash: F5A18C36E113198FDF05DFA5D8845EEBBF2FF89310B15856AE805BB220EB35A905DB40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f6f26e3db6efee0ac6ec16507db225d1a063225da2659b2067fda7763a3465dc
                                                                            • Instruction ID: 04581310978c3444fa3b38670024988f283054d447dc9e1c5d2a03a2a0424d25
                                                                            • Opcode Fuzzy Hash: f6f26e3db6efee0ac6ec16507db225d1a063225da2659b2067fda7763a3465dc
                                                                            • Instruction Fuzzy Hash: BB91C175E15209DF8F08CFE9D5818EFBBF2AB99300F20942AD515BB214DB319A02CB59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2dd4b845c292ccc3ed9d65805072a40b856162b140228f6e972c3056a9c96036
                                                                            • Instruction ID: 9d6bf551a76fad3d29df30c67d335ef1a25b9348a314dc9090dcfdb7e956f6d0
                                                                            • Opcode Fuzzy Hash: 2dd4b845c292ccc3ed9d65805072a40b856162b140228f6e972c3056a9c96036
                                                                            • Instruction Fuzzy Hash: 72317472E052148FEB08CF9AE9415DDBFF7EFC9211F24C27AD405A7215DB705A128B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2fc5b7b173e8399b75a5fcd85baec3cdd6cf5ac843f4282457da7af0a1b4c5b7
                                                                            • Instruction ID: d1a4b7236fc2ced52086d3ce8561b37493a75bb925c30b6faf44504394c79b06
                                                                            • Opcode Fuzzy Hash: 2fc5b7b173e8399b75a5fcd85baec3cdd6cf5ac843f4282457da7af0a1b4c5b7
                                                                            • Instruction Fuzzy Hash: 79316D70E152189FDF18CFAAD850A9EFBF6FF88210F10C169E418A7354DB305A418B54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 011a3842ae5201668809fbcdb01ad675b85a10e19f27f16c27cfae10351c1d64
                                                                            • Instruction ID: 28217ed92d4fe32d4efdd50fdfd17d6ad957b10ec130a32ef2f1559fecfd7d2f
                                                                            • Opcode Fuzzy Hash: 011a3842ae5201668809fbcdb01ad675b85a10e19f27f16c27cfae10351c1d64
                                                                            • Instruction Fuzzy Hash: 6E318271E056089FEB08CFAAD84159EBFF7AFC9211F24C27AD405A7215EB705A128B90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9a68fa2a17263909474065c3b60f656d59edd2b0f0a488b68dcf7723140cceba
                                                                            • Instruction ID: 26e370cac8568340cd66836ca1e1844dd673ce878b1b7a2afeba2f0afd48ecc7
                                                                            • Opcode Fuzzy Hash: 9a68fa2a17263909474065c3b60f656d59edd2b0f0a488b68dcf7723140cceba
                                                                            • Instruction Fuzzy Hash: 7F315D70E156189FDB18CFAAD951A9EFBF3BF88310F14C169E818A7364DB305A418B54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 948c043c77ad75b3131723429e0726aea2fb26013d2a30f18e9f8fd71c73ec5b
                                                                            • Instruction ID: 01370bc65b0922e4041d57037872bdcd6a70ded3539fff9601f5421b38d838b3
                                                                            • Opcode Fuzzy Hash: 948c043c77ad75b3131723429e0726aea2fb26013d2a30f18e9f8fd71c73ec5b
                                                                            • Instruction Fuzzy Hash: F731A5B1D016188FDB08CFAAD84159EBFF7EFC9201F24C27AD405A7215EB745A12CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a3c82846c9036ed04144c9ae64b8cf51dac7ea958886f61f43d049ab308ef2cb
                                                                            • Instruction ID: 5f15485fe7ab3e4d31216f6ed5af4e034fd1f9ec681750dfda9bb49f9455aed4
                                                                            • Opcode Fuzzy Hash: a3c82846c9036ed04144c9ae64b8cf51dac7ea958886f61f43d049ab308ef2cb
                                                                            • Instruction Fuzzy Hash: 0921F471E116199BDB08CFABD8416AEFBF7AFC9210F14C02AD418A7214EB305A028B51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 60f7f863e813af9ff35a28645718733b2980b29739c4022ff1072828acbb7d46
                                                                            • Instruction ID: 0fbf96fec1fd0f7b8c63dac59e10821bf4f6e2f363dd3f6c4a806f8a9b0e9605
                                                                            • Opcode Fuzzy Hash: 60f7f863e813af9ff35a28645718733b2980b29739c4022ff1072828acbb7d46
                                                                            • Instruction Fuzzy Hash: 7811D671E116199BDF58CFABD9406AEFBF7ABC8200F14C03AD518A7314DA305A018B95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.670762371.000000000BAC0000.00000040.00000001.sdmp, Offset: 0BAC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: acfb9e7879a25f68f26a1c7d74c8074c8ad207c702a0d44fab13a9078ec07858
                                                                            • Instruction ID: 19d2557cd4372fda57a7ef3027732d90ec7634dced5fcc366c4c2edd49309bf8
                                                                            • Opcode Fuzzy Hash: acfb9e7879a25f68f26a1c7d74c8074c8ad207c702a0d44fab13a9078ec07858
                                                                            • Instruction Fuzzy Hash: 9F11F8B1E116189BDB48CF6BD9416AEFAF7ABC8200F14C07AD508A7358DB305A418F55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Executed Functions

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.917418498.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: f8ebaf156cf9e27519c721df8b6ce9a4af9cd87a84fc3b6f3e752055c1e8ce85
                                                                            • Instruction ID: 89155372f73369ad75c61e8399130f2815d3dede712be2cec792ebcce2aed50a
                                                                            • Opcode Fuzzy Hash: f8ebaf156cf9e27519c721df8b6ce9a4af9cd87a84fc3b6f3e752055c1e8ce85
                                                                            • Instruction Fuzzy Hash: A711C030B003049FDB187BB5985977EB6A2EF85314F508979D9068F382EE35CD48C3A5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: 654cbdb7740f52ea0db68598c21c3763ea3563d6d5610fa45dcbfff4d0362047
                                                                            • Instruction ID: f386f30faefa6832bf524ae4d55f769346e963a432d9ecca73da3470ff489803
                                                                            • Opcode Fuzzy Hash: 654cbdb7740f52ea0db68598c21c3763ea3563d6d5610fa45dcbfff4d0362047
                                                                            • Instruction Fuzzy Hash: 6F920774A04228CFCB64EF20D8587ADBBB6BF89305F5081E9E50AA3750DB359E85CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: 001e68e7670a40891a09404dc4a694b418275f2c3907016aa9b75de417c19197
                                                                            • Instruction ID: 4593442b5697a2402050c083e089cba17a9bc82d2b5f700abb3481e0b6fb861b
                                                                            • Opcode Fuzzy Hash: 001e68e7670a40891a09404dc4a694b418275f2c3907016aa9b75de417c19197
                                                                            • Instruction Fuzzy Hash: 9E42FAB5A04218CFCB65EF60D8587ADBBBABF89305F5081E9D50AA3340CB359E85CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: d41b1b49f9f918f48603ea01025fd0d04f8e77d6444632ef53b128c735f01024
                                                                            • Instruction ID: 57f63a348f39401a145eacd3400f37b0f6c8fe0027f94f77e5ee14290627af8a
                                                                            • Opcode Fuzzy Hash: d41b1b49f9f918f48603ea01025fd0d04f8e77d6444632ef53b128c735f01024
                                                                            • Instruction Fuzzy Hash: B042FA75A04218CFCB65EF60D8587ADBBBABF89305F5081E9D50AA3340CB359E85CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: 2fcbdafcba2d0826932d9264f275bfdd2d46670f812e618604fc13f32e42b2b0
                                                                            • Instruction ID: b9c24192644d622fd2c223eaec6070ea11f86b291f5f46ed01d61b5c83ce76a5
                                                                            • Opcode Fuzzy Hash: 2fcbdafcba2d0826932d9264f275bfdd2d46670f812e618604fc13f32e42b2b0
                                                                            • Instruction Fuzzy Hash: E7420A75A04218CFCB65EF60D8587ADBBBABF89305F5081E9D50AA3340CB359E85CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: e30d4c3a37f3684c8b1b5d30450df833d08ac12359dd9cbb5e87f1140fdb642e
                                                                            • Instruction ID: 7d966e6b92c25a3be4402218eda4593a4cf2d14e33fab4021eceb6afb526f84e
                                                                            • Opcode Fuzzy Hash: e30d4c3a37f3684c8b1b5d30450df833d08ac12359dd9cbb5e87f1140fdb642e
                                                                            • Instruction Fuzzy Hash: E842F975A04218CFCB65EF20D8587ADBBBABF89305F5081E9D50AA3340CB359E81CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: 93793b2766e29c4c571ce95b5b0cec9931156a9f618b5495a02e03bc2902451e
                                                                            • Instruction ID: 11df73336300d0eb8cbfbc8f5dc1b1328e1699ae2fc40f3ec686fadf0e4393bd
                                                                            • Opcode Fuzzy Hash: 93793b2766e29c4c571ce95b5b0cec9931156a9f618b5495a02e03bc2902451e
                                                                            • Instruction Fuzzy Hash: E74209B5A04218CFCB64EF60D8587ADBBBABF89305F5081E9D50AA3340DB359E81CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: b028ef44626d6b2c920cdd01efe09317e497464f0a82abc59eaf74b393164a2b
                                                                            • Instruction ID: 68e3a811060d419cd05b865ee5b6527be6faa7da6f7cc5678d7ff4f8954ed669
                                                                            • Opcode Fuzzy Hash: b028ef44626d6b2c920cdd01efe09317e497464f0a82abc59eaf74b393164a2b
                                                                            • Instruction Fuzzy Hash: 7142F9B5A04218CFCB64EF60D8587ADBBBABF89305F5081E9D50AA3340DB359E81CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: bc1e34e6f53a615e3c715582eaeec7743dfaf57910220d4f8350c997fa1c9eac
                                                                            • Instruction ID: 927f002ed6247ebeaac69e87a71006188db740f2932225d81cc1dbf1ada8c552
                                                                            • Opcode Fuzzy Hash: bc1e34e6f53a615e3c715582eaeec7743dfaf57910220d4f8350c997fa1c9eac
                                                                            • Instruction Fuzzy Hash: 1F32F9B5A04218CFCB64EF60D8587ADBBBABF89305F5081E9D50AA3340DB359E85CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: 717cecdf10bfd47d3d509cebe31858065ec77f260d59a3ef70f0f4d3993274b9
                                                                            • Instruction ID: e4600b9e64b8aedf34a5bd82ee5b43b54e750c74a8d174b2fd13452fe9537d14
                                                                            • Opcode Fuzzy Hash: 717cecdf10bfd47d3d509cebe31858065ec77f260d59a3ef70f0f4d3993274b9
                                                                            • Instruction Fuzzy Hash: BF32F9B5A04218CFCB64EF60D8587ADBBBABF89305F5081E9D50AA3340DB359E85CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: 685087aff56912a02635256ce263a3504708e1a2fdd67471a6fdb260d4f749c4
                                                                            • Instruction ID: 4cbf0c1605e9949cd9e729c6ec1ca09a9b6840e5b9874660ccf079c8f8ecb72a
                                                                            • Opcode Fuzzy Hash: 685087aff56912a02635256ce263a3504708e1a2fdd67471a6fdb260d4f749c4
                                                                            • Instruction Fuzzy Hash: 4B32E9B5A04218CFCB64EF60D8587ADBBBABF89305F5081E9D50AA3340DB359E81CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: ce876f3fa57514d6bbe401dadf878c9078433ffad68062acdc4ab8e25b70b293
                                                                            • Instruction ID: 7b401ed5755309e87bcda19355b14cc4aafc8f2f1005abfcfd637e3bb488383d
                                                                            • Opcode Fuzzy Hash: ce876f3fa57514d6bbe401dadf878c9078433ffad68062acdc4ab8e25b70b293
                                                                            • Instruction Fuzzy Hash: B232E975A04228CFCB64EF60D8587ADBBBABF89305F5081E9D50AA3740DB359E81CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: 5fec8f098cd596d354af7dfc617bb47c61479352fdd034441ca393156e711dab
                                                                            • Instruction ID: 787c37570cad6278f6972f6af53679e732ba3749c19db6d4c9ae065a7b62ac6c
                                                                            • Opcode Fuzzy Hash: 5fec8f098cd596d354af7dfc617bb47c61479352fdd034441ca393156e711dab
                                                                            • Instruction Fuzzy Hash: A232F975A04228CFCB64EF60D8587ADBBBABF89305F5081E9D50AA3340DB359E81CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: 7481d19f917156a2d727cda09876950e7eab07c2270829e7e0ef980272311950
                                                                            • Instruction ID: 259333c116cb3ec64ef89a35b975438fe5eed101ca23b921ff33bd2a38059a8b
                                                                            • Opcode Fuzzy Hash: 7481d19f917156a2d727cda09876950e7eab07c2270829e7e0ef980272311950
                                                                            • Instruction Fuzzy Hash: DD32F875A04228CFCB64EF60D8587ADBBBABF89305F5081E9D50AA3340DB359E81CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL ref: 00F80F06
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2638914809-0
                                                                            • Opcode ID: 6aff35b630ab7127ed0b13a5ecd9e105fd2ca7012fed35bf04e10d3f8e43800f
                                                                            • Instruction ID: d39628dadb1d4d498829746086772bf0c29640ee6e7ea622ac61d6e1ad3f8337
                                                                            • Opcode Fuzzy Hash: 6aff35b630ab7127ed0b13a5ecd9e105fd2ca7012fed35bf04e10d3f8e43800f
                                                                            • Instruction Fuzzy Hash: B622F975A04228CFCB64EF60D8587ADBBBABF89305F5081E9D50AA3340DB359E81CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 011C69A0
                                                                            • GetCurrentThread.KERNEL32 ref: 011C69DD
                                                                            • GetCurrentProcess.KERNEL32 ref: 011C6A1A
                                                                            • GetCurrentThreadId.KERNEL32 ref: 011C6A73
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918134510.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Current$ProcessThread
                                                                            • String ID:
                                                                            • API String ID: 2063062207-0
                                                                            • Opcode ID: d65855925282ce7ef7c0b914e78a0978ec2e183e3a22f5dbcdfb3b03b4353dfc
                                                                            • Instruction ID: 2c708c830bd3b7b7823c18bf5d41d801a437b7d9f1100bfc787b161a964a439c
                                                                            • Opcode Fuzzy Hash: d65855925282ce7ef7c0b914e78a0978ec2e183e3a22f5dbcdfb3b03b4353dfc
                                                                            • Instruction Fuzzy Hash: 7D5156B09042488FEB14CFAAD9887DEBFF0EF48314F24845EE549A7350D7789844CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 011C69A0
                                                                            • GetCurrentThread.KERNEL32 ref: 011C69DD
                                                                            • GetCurrentProcess.KERNEL32 ref: 011C6A1A
                                                                            • GetCurrentThreadId.KERNEL32 ref: 011C6A73
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918134510.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Current$ProcessThread
                                                                            • String ID:
                                                                            • API String ID: 2063062207-0
                                                                            • Opcode ID: 626a201a113f50f96e3b6d096df7f788db28d05b3f2c2c5b6af5848258a56440
                                                                            • Instruction ID: c37dc4ecdb8ea4a0518aad6d75dec69e0d67f9138649bda99d6dbb22201161f4
                                                                            • Opcode Fuzzy Hash: 626a201a113f50f96e3b6d096df7f788db28d05b3f2c2c5b6af5848258a56440
                                                                            • Instruction Fuzzy Hash: 0A5134B09102498FDB14CFAAD588BDEBBF0EF88314F24845DE519A7350D774A944CF65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 6e99632356eb421e2848babb7a3cbcd99660a472222719b6efabee06b11a16c9
                                                                            • Instruction ID: 04c249213f0b412b5bc04766b9a485b7f57839dc7b166d387b7d05f4f73f21c4
                                                                            • Opcode Fuzzy Hash: 6e99632356eb421e2848babb7a3cbcd99660a472222719b6efabee06b11a16c9
                                                                            • Instruction Fuzzy Hash: 23F13CB5A04228CFCB65EF20C8547ADBBBABF89305F5051E9D50AA3340CB359E85DF11
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: dd930a5de6c7be7e45e8bf4ba386c6ef05cbb9afbc8f17d8c30022e645b54479
                                                                            • Instruction ID: b96691ca41a54f442d1b526a0d7eb6baec2a87b3e2b6313cb097adc0fe5a3e71
                                                                            • Opcode Fuzzy Hash: dd930a5de6c7be7e45e8bf4ba386c6ef05cbb9afbc8f17d8c30022e645b54479
                                                                            • Instruction Fuzzy Hash: F1E13CB5A04228CFCB65EF20C8547ADBBBABF89305F5091E9D50AA3340CB359E85DF15
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 3957528a475c3a3c8f11ef0e4439ed0df16704e7c872940826f17178d7935af5
                                                                            • Instruction ID: 0c1d99c4f0690e60292f38bfc7e7345b1f2823e3f44e87a3badd8d16c2ec8eb2
                                                                            • Opcode Fuzzy Hash: 3957528a475c3a3c8f11ef0e4439ed0df16704e7c872940826f17178d7935af5
                                                                            • Instruction Fuzzy Hash: FAE13BB5A04228CFCB65EF20C8547ADBBBABF89305F5091E9D50AA3340CB359E85DF15
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: c3d2e75275fac8fb0e6963276342b352e373c17194f84ba9583f5f2caae2652e
                                                                            • Instruction ID: 4971c858d61b385d5d08b5a5d1a725d740201e3940ddb05cb3cc4e5251f4575f
                                                                            • Opcode Fuzzy Hash: c3d2e75275fac8fb0e6963276342b352e373c17194f84ba9583f5f2caae2652e
                                                                            • Instruction Fuzzy Hash: FCE14BB5A04228CFCB64EF20C8547ACBBBABF89305F5081E9D50AA3340CB359E85DF15
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 40a718b4eb13d8dc546c4362518301395ebe901d199fbc2ae475da336936fe18
                                                                            • Instruction ID: 9a480f446b658e353b4708d0f23377dbe535f4cd6442e7013718e9bdd8cc9158
                                                                            • Opcode Fuzzy Hash: 40a718b4eb13d8dc546c4362518301395ebe901d199fbc2ae475da336936fe18
                                                                            • Instruction Fuzzy Hash: 1ED13BB5A04228CFCB64EF20C8547ADBBBABF89305F5081E9D50AA3340CB359E85DF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F813AC
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 8ff0eada193da1180591561e4a2bfb9553026933157c8e8cf2063bfc38ae5a77
                                                                            • Instruction ID: 14e319da7fcb5ac2f3768e4ccd00b9cb64c4f674f282ee8389ff245ef1795e48
                                                                            • Opcode Fuzzy Hash: 8ff0eada193da1180591561e4a2bfb9553026933157c8e8cf2063bfc38ae5a77
                                                                            • Instruction Fuzzy Hash: 78D12BB5A04228CFCB64EF20C8547ADBBBABF89305F5091E9D50AA3340CB359E85DF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 719cfe3ec42f6757eb099829d4b5c1adff85479794e4beeb265b557b4e96b3ea
                                                                            • Instruction ID: 0e520f7a44054c51bb00259e74e1cf8e73a532f1614bb24a0d8c082eb78aa383
                                                                            • Opcode Fuzzy Hash: 719cfe3ec42f6757eb099829d4b5c1adff85479794e4beeb265b557b4e96b3ea
                                                                            • Instruction Fuzzy Hash: CCD11AB5A04228CFCB64EF20C8547ADBBBABF85305F5091E9D50AA3340CB359E85DF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 1f483cb947f4830c10565012e63583034ffd2658c3e15a5929832c443599c1a9
                                                                            • Instruction ID: e7bdec1e1b6b85ace4ae8a24d5f5ee118e2ca0391f4584d44f35094b712737cc
                                                                            • Opcode Fuzzy Hash: 1f483cb947f4830c10565012e63583034ffd2658c3e15a5929832c443599c1a9
                                                                            • Instruction Fuzzy Hash: 89C11BB5A04228CFCB64EF20C8547ADBBBABF85305F5091E9D50AA3340CB359E85DF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: d3b012cd055429d2b05aa1a6abf94373e580c082c47c70837b1491b31ae36c03
                                                                            • Instruction ID: 15b58d9657e7ab3a3667a698865a706460b4a936436a79633efdd7e70378d071
                                                                            • Opcode Fuzzy Hash: d3b012cd055429d2b05aa1a6abf94373e580c082c47c70837b1491b31ae36c03
                                                                            • Instruction Fuzzy Hash: 1AC11AB5A04228CFCB64EF20C8547ADBBBABF85305F5081E9D50AA3340CB359E86DF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F814E2
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 16968971c6ae66981394cf078e9d41fdba785eb3aab06f6996d25eec8985b272
                                                                            • Instruction ID: c35bf6a72e6aba92b47cbfeebead98344ae4307517c0a4650d8e3c3b53e8e1d0
                                                                            • Opcode Fuzzy Hash: 16968971c6ae66981394cf078e9d41fdba785eb3aab06f6996d25eec8985b272
                                                                            • Instruction Fuzzy Hash: 1CC10AB5A04228CFCB64EF20C8547ADBBBABF85305F5081E9D50AA3340DB359E85DF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 6592300277bcce13c2e1e7e231258415a4c3807a698791a462b04db6cf6255c6
                                                                            • Instruction ID: 0e6853786a0e8b2974217fb9af188a75b786b7355ad5a875f520db0956a50760
                                                                            • Opcode Fuzzy Hash: 6592300277bcce13c2e1e7e231258415a4c3807a698791a462b04db6cf6255c6
                                                                            • Instruction Fuzzy Hash: 5AB109B5A04228CFCB64EF24C8547ADBBBABF84305F5081E9D50AA3340DB359E85DF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 5bfda3cf230adb65af7b9ee2b47a49275752915f30fe6d316e2e61e7f811ec1b
                                                                            • Instruction ID: 6efa2bd8880d0a8cc0240cba69aafeb3bb2658c6bdb00860fd405e234d77f424
                                                                            • Opcode Fuzzy Hash: 5bfda3cf230adb65af7b9ee2b47a49275752915f30fe6d316e2e61e7f811ec1b
                                                                            • Instruction Fuzzy Hash: 68B119B5A04228CFCB64EF24C8547ADBBBABF84305F5081E9D50AA3340DB359E85DF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 70f7b18b8f31dbaf78a008ae5c5392dff434e8ec0867ada5b515f6a2d810a097
                                                                            • Instruction ID: 9aeff7e3d7b93d00898d7444a4b251c48d732afbf89176c845ee6309fac64d05
                                                                            • Opcode Fuzzy Hash: 70f7b18b8f31dbaf78a008ae5c5392dff434e8ec0867ada5b515f6a2d810a097
                                                                            • Instruction Fuzzy Hash: C5B109B5A04228CFCB64EF24C8547ADBBBABF84305F5081E9D50AA3340DB359E85DF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: b4b5b078fe6c83ecb3749a0f800b98d9c73b3ef2a66fd857436fb1c482817811
                                                                            • Instruction ID: 78d03fd6344bd1b30f1ce48e53e336c9358560b98789edbd531bfbb83162112d
                                                                            • Opcode Fuzzy Hash: b4b5b078fe6c83ecb3749a0f800b98d9c73b3ef2a66fd857436fb1c482817811
                                                                            • Instruction Fuzzy Hash: E5A119B5A042288FCB64EF24C8547ADBBBABF88205F5081E9D50AA3340DF359E85CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: aeacd4e0f053ace3858c6b54115aab0e0e3c7a73aef333416b9b7ac4be1df1c8
                                                                            • Instruction ID: 8918eacecfda982bbb93cecff12a6a929b51f1f278afd5605aef2230080669b5
                                                                            • Opcode Fuzzy Hash: aeacd4e0f053ace3858c6b54115aab0e0e3c7a73aef333416b9b7ac4be1df1c8
                                                                            • Instruction Fuzzy Hash: 6DA11BB5A04228CFCB64EF24C8547ADBBBABF88205F5081E9D50AA3740DF359E85CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: a1339e9b5b35a099a6a81b50c59487bca7d977878dd209514f2f2f54e709ab03
                                                                            • Instruction ID: 3e9a81583db535899c9d0363f738891f0a2a809b0e59611c1733322084c17bd6
                                                                            • Opcode Fuzzy Hash: a1339e9b5b35a099a6a81b50c59487bca7d977878dd209514f2f2f54e709ab03
                                                                            • Instruction Fuzzy Hash: 69A11BB5A04228CFCB64EF24C8547ADBBBABF88205F5081E9D50AA3740DF359E85CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 0f44d87e69a73a4e2f28071b7f604066f1fd51a4b392262f9951b32c2892b1f3
                                                                            • Instruction ID: 52f270b7e778b244152c53563a7cd5b51bab00430ae57bfb89bd14ff52e7e04a
                                                                            • Opcode Fuzzy Hash: 0f44d87e69a73a4e2f28071b7f604066f1fd51a4b392262f9951b32c2892b1f3
                                                                            • Instruction Fuzzy Hash: 17912BB5A042288FCB64EF24C8547ADBBBABF88305F5081E9D50AA3740DF359E85CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: dcf6c42dfa16eb6421dffdc8b311cf74686c42630eab471e84969df68b6fa68e
                                                                            • Instruction ID: 6f36ab7f9161de3bd6a36c85a580d03411b9e6fca515d6d153ae043132780de3
                                                                            • Opcode Fuzzy Hash: dcf6c42dfa16eb6421dffdc8b311cf74686c42630eab471e84969df68b6fa68e
                                                                            • Instruction Fuzzy Hash: 969139B5A042288FCB64EF24C8547ADBBBABF84305F5081E9D50AA3740DF359E86CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 56029bd7faecf1a425f79584b777503d9e943d161761038c3c2ca7b2268c3853
                                                                            • Instruction ID: e93fde1321f5f8ce8af3cbdfa65475faee144b3a18963b9721f4936dd829c69c
                                                                            • Opcode Fuzzy Hash: 56029bd7faecf1a425f79584b777503d9e943d161761038c3c2ca7b2268c3853
                                                                            • Instruction Fuzzy Hash: 14813AB5A042298FCB64EF24C8547ADBBBABF84205F5081E9D50AA3740DF358E86CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: dddd1eecf3f076a0f1da4d1e4ca21d655cd276a268f693a9013272a298b8da02
                                                                            • Instruction ID: 52b07314f2fccbc717fde7fa95d62e2b87f92b8c7a652e2c391bfe8f2419983e
                                                                            • Opcode Fuzzy Hash: dddd1eecf3f076a0f1da4d1e4ca21d655cd276a268f693a9013272a298b8da02
                                                                            • Instruction Fuzzy Hash: 1D814BB5A042298FCB64EF20C8547ADBBBABF84305F5085E9D50AA3740DF358E86CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: e1551ac1929c68e88fa284ecd694b214a2a75343bef2106abc8966ec76f7e146
                                                                            • Instruction ID: 688a8e4270c8ca85f415ba7f220be9f9fc848db9c404069c89c808ef29b9d25c
                                                                            • Opcode Fuzzy Hash: e1551ac1929c68e88fa284ecd694b214a2a75343bef2106abc8966ec76f7e146
                                                                            • Instruction Fuzzy Hash: B0714CB5A042288FCB64EF20C8547ADBBBABF84305F5085E9D50AA3740DF359E86CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 77d959790652cf267432ab2e4bf1f3624c00195d467e561e6ce5879adb7f92eb
                                                                            • Instruction ID: f0fca62b810983efb1b1898e14095efdd35414e122276102cd84c195d3aa248f
                                                                            • Opcode Fuzzy Hash: 77d959790652cf267432ab2e4bf1f3624c00195d467e561e6ce5879adb7f92eb
                                                                            • Instruction Fuzzy Hash: 55715DB5A042288FCB64EB20C8547ADB7BABF84305F5085E9D50AE3740DF358E86CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: d51f8ef024b252e46bc52178722fb5ff462a3cb4598e6fd6cdf9955c64257836
                                                                            • Instruction ID: 140a353c9420afa72fd86ac7bb673467e8aaa321ae22ea31e922f5b89e6139b9
                                                                            • Opcode Fuzzy Hash: d51f8ef024b252e46bc52178722fb5ff462a3cb4598e6fd6cdf9955c64257836
                                                                            • Instruction Fuzzy Hash: 1D615EB5A042288FCB64EB20C8547AD77BAAF84305F5085E9D50AE3741DF358E86CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00F818E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918018241.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DispatcherExceptionUser
                                                                            • String ID:
                                                                            • API String ID: 6842923-0
                                                                            • Opcode ID: 1ef02382df1da7a2884ca5f634ad43c22659a0982c04f09f8d33b13c8ced7135
                                                                            • Instruction ID: 174da6d24234f3df17e11b88e706e353098cf199e037ce6d1747d3c4bc685eb0
                                                                            • Opcode Fuzzy Hash: 1ef02382df1da7a2884ca5f634ad43c22659a0982c04f09f8d33b13c8ced7135
                                                                            • Instruction Fuzzy Hash: A0516EB5B042288FCB64EB30C8547AD76BAAF84305F1085E9D50AE3741DF358E85CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918134510.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8ef75cde6b8cda22a938f6a68191c10de15d7366c8ad49626316a774cebd53be
                                                                            • Instruction ID: e07dd6f4886efc3ac2f4c37b7f9ee975f7c2f9503932f2ca0bfd3b9b1a088d9d
                                                                            • Opcode Fuzzy Hash: 8ef75cde6b8cda22a938f6a68191c10de15d7366c8ad49626316a774cebd53be
                                                                            • Instruction Fuzzy Hash: B95103B1D00249EFDF15CFA9C984ACDBFB2BF48314F15816AE918AB220D771A955CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011C51A2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918134510.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: 79deaaf28b6d4b19927f19aa58bd4f60e29b27796e91d194b61541aab0cf0c9b
                                                                            • Instruction ID: 44405568261714e4b2f1c47026afc6052f28a171544e3cbbcf414b6fff118330
                                                                            • Opcode Fuzzy Hash: 79deaaf28b6d4b19927f19aa58bd4f60e29b27796e91d194b61541aab0cf0c9b
                                                                            • Instruction Fuzzy Hash: A641B2B1D10309DFDB14CF99C984ADEBBB6BF88714F64812AE819AB210D774A945CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 011C7F09
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918134510.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CallProcWindow
                                                                            • String ID:
                                                                            • API String ID: 2714655100-0
                                                                            • Opcode ID: 6a7d16d01ca2284b11c05ebeb24c653aba19b6c4a28352b4b896f86f8b1157e8
                                                                            • Instruction ID: 9662383f2d32402681d850d4d69e21226edc7c92e310a53c509658b35ac15601
                                                                            • Opcode Fuzzy Hash: 6a7d16d01ca2284b11c05ebeb24c653aba19b6c4a28352b4b896f86f8b1157e8
                                                                            • Instruction Fuzzy Hash: FF4149B5900209CFDB18CF99C488AAABBF5FB98714F25C45CE519A7361C774A841CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 011CC222
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918134510.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: EncodePointer
                                                                            • String ID:
                                                                            • API String ID: 2118026453-0
                                                                            • Opcode ID: 571ffd26675c2c3a7c0add245d268d6fd0b0cb7d6f9b08bc2c3916344b2c2809
                                                                            • Instruction ID: 6ea9ede02d7646212ed9bd0ce65f19a642278ec8d51e6a62763a2c68272e9d52
                                                                            • Opcode Fuzzy Hash: 571ffd26675c2c3a7c0add245d268d6fd0b0cb7d6f9b08bc2c3916344b2c2809
                                                                            • Instruction Fuzzy Hash: 553102718053858FDB24CFA9D9083AEBFF0FB55718F28845DE448A3242C739980ACFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011C6BEF
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918134510.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: fee8db0240a35207c4ac46d04130bf49abc27dc24012c28a723412e4081c4e7d
                                                                            • Instruction ID: 104a8634e06314185f6d1614c2f3bc02daa2abf85ee37a943b032ef9f7509f09
                                                                            • Opcode Fuzzy Hash: fee8db0240a35207c4ac46d04130bf49abc27dc24012c28a723412e4081c4e7d
                                                                            • Instruction Fuzzy Hash: BE21E4B59002089FDB10CF9AD984ADEBBF8FB48320F14841AE914B3310D374A954CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011C6BEF
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918134510.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 8c41ca77d6abad80f3b14feb277f8c5b2ee83e95b3f966c536f83b6e2463128c
                                                                            • Instruction ID: a9ffbb42736b34dc280cc17994dafce288a95fcb074865f1e4632b59e382b133
                                                                            • Opcode Fuzzy Hash: 8c41ca77d6abad80f3b14feb277f8c5b2ee83e95b3f966c536f83b6e2463128c
                                                                            • Instruction Fuzzy Hash: 3D21C4B59002499FDB10CF9AD984ADEBBF4FB48324F14841AE914A3350D374A954CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.917418498.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: a9afddabfa963268ab14ffefb025d6d3283d090e9c66006b94f5bb18b667f040
                                                                            • Instruction ID: 09eee81dd0a320a63b9cc50b91173caaf2e7b617e87360683dd496462be2d610
                                                                            • Opcode Fuzzy Hash: a9afddabfa963268ab14ffefb025d6d3283d090e9c66006b94f5bb18b667f040
                                                                            • Instruction Fuzzy Hash: B511A034B003009FDB047B74989977A76A2AF88301F60897DD8128F3C2EE358C49C7A5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 011CC222
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918134510.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: EncodePointer
                                                                            • String ID:
                                                                            • API String ID: 2118026453-0
                                                                            • Opcode ID: 87023631e0f05b12a90d62847192de395f4818aeb4e8fa198bd11e02359d646e
                                                                            • Instruction ID: a5bdb13f0c96fc5b02174153cb25be0de029b0b2a0eaa44050c675733b4101f7
                                                                            • Opcode Fuzzy Hash: 87023631e0f05b12a90d62847192de395f4818aeb4e8fa198bd11e02359d646e
                                                                            • Instruction Fuzzy Hash: 2C1189B19003098FDB24CFAAD54879EBBF4FB98714F24842DD408A3641CB38A945CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 011C4116
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918134510.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 69c2512c83f04bf36b30b4c8340586b76a51927d366b75f00b898763a8d85ae7
                                                                            • Instruction ID: 2114d8a291e32f47bbbab6f92010ddbbe45a92e2b513a476d07ee7028df74b5f
                                                                            • Opcode Fuzzy Hash: 69c2512c83f04bf36b30b4c8340586b76a51927d366b75f00b898763a8d85ae7
                                                                            • Instruction Fuzzy Hash: D31134B1D042498FDB24CF9AC444BDEFBF4EB89210F11842ED829B7600D378A545CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 011C4116
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.918134510.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: a28f5c74d23ab47e7852fcd110d527bb5f65c4e71a5a92c31484ee256990822d
                                                                            • Instruction ID: a448a6fd8b8bc5c5c1034baae55fc7d0f456441e03d93eba28573c726a0dbfd6
                                                                            • Opcode Fuzzy Hash: a28f5c74d23ab47e7852fcd110d527bb5f65c4e71a5a92c31484ee256990822d
                                                                            • Instruction Fuzzy Hash: 381113B2D042498FDB24CF9AC844BDEFBF4EB88224F15842ED429B7600D378A545CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions